Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MEuu1a2o6n.exe

Overview

General Information

Sample name:MEuu1a2o6n.exe
renamed because original name is a hash value
Original sample name:B686B0A91C6DA4D4EF4EB9894F41AAEF.exe
Analysis ID:1581462
MD5:b686b0a91c6da4d4ef4eb9894f41aaef
SHA1:d5376faea233ddf3d41de066c35b8a51b88c2d02
SHA256:cea23cddf4b3ab0e7a61377df8dd847b52a7dd84ba5a3a6a3e547f329a5d29fa
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MEuu1a2o6n.exe (PID: 764 cmdline: "C:\Users\user\Desktop\MEuu1a2o6n.exe" MD5: B686B0A91C6DA4D4EF4EB9894F41AAEF)
    • cmd.exe (PID: 6460 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Update.exe (PID: 2344 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)
        • cmd.exe (PID: 2896 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 5104 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6548 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6528 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2056 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3608 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4556 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5448 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5608 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4944 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6668 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6696 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6864 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • cmd.exe (PID: 2672 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2764 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 1712 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5076 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Update.exe PID: 2344JoeSecurity_GhostRatYara detected GhostRatJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Execution from Suspicious Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6460, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 2344, ProcessName: Update.exe
    Sigma detected: Parent in Public Folder Suspicious Process
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 2344, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2672, ProcessName: cmd.exe
    Sigma detected: Suspicious Program Location with Network Connections
    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 118.107.44.219, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 2344, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49790
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2764, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2764, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-27T20:09:17.080066+010020528751A Network Trojan was detected192.168.2.449801118.107.44.21919091TCP
    2024-12-27T20:10:28.388205+010020528751A Network Trojan was detected192.168.2.449812118.107.44.21919091TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: MEuu1a2o6n.exeAvira: detected
    Multi AV Scanner detection for dropped file
    Source: C:\Users\Public\Bilite\Axialis\Update.dllReversingLabs: Detection: 36%
    Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 36%
    Multi AV Scanner detection for submitted file
    Source: MEuu1a2o6n.exeReversingLabs: Detection: 26%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD40020 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,3_2_6BD40020
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD41000 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6BD41000
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD3FD80 CryptStringToBinaryA,CryptStringToBinaryA,3_2_6BD3FD80

    Compliance

    barindex
    Detected unpacking (creates a PE file in dynamic memory)
    Source: C:\Users\Public\Bilite\Axialis\Update.exeUnpacked PE file: 3.2.Update.exe.4210000.6.unpack
    Source: MEuu1a2o6n.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Binary string: UpdaterSetup.exe.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \YSS\Release\Update.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2659886433.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2659886433.0000000008ABB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1803676417.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbN source: powershell.exe, 00000013.00000002.2664011155.0000000008B36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2652877300.0000000007B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2623179546.0000000003304000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UpdaterSetup.exe.pdbP source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb'K source: powershell.exe, 00000013.00000002.2659886433.0000000008ABB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb|WA source: powershell.exe, 00000013.00000002.2652877300.0000000007B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000013.00000002.2664011155.0000000008B36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1803676417.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: \YSS\Release\Update.pdbp: source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmp
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: z:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: x:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: v:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: t:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: r:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: p:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: n:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: l:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: j:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: h:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: f:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: b:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: y:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: w:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: u:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: s:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: q:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: o:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: m:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: k:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: i:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: g:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: e:Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: [:Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEBED8C FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6BEBED8C
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEBECDB FindFirstFileExW,3_2_6BEBECDB
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDA7D6F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6BDA7D6F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042180F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_042180F0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49801 -> 118.107.44.219:19091
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49812 -> 118.107.44.219:19091
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 118.107.44.219 ports 18852,19091,1,2,5,8
    Source: global trafficTCP traffic: 192.168.2.4:49790 -> 118.107.44.219:18852
    Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04212FD0 recv,select,recv,3_2_04212FD0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507132069.00000000013A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507132069.00000000013A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: powershell.exe, 00000012.00000002.2651491613.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507132069.00000000013A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000012.00000002.2625999372.000000000586E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2625999372.00000000052D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000012.00000002.2625999372.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000012.00000002.2625999372.000000000586E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2625999372.00000000052D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.google.com/installer/
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1800100714.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2507036934.00000000013CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
    Source: powershell.exe, 00000012.00000002.2625999372.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
    Source: powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/update2/installers/icons/
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
    Source: powershell.exe, 00000012.00000002.2651491613.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2/json
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Contains functionality to capture and log keystrokes
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0421E850
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,3_2_0421BC70
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDB0E79 GetAsyncKeyState,GetAsyncKeyState,GetKeyboardState,GetKeyboardLayout,MapVirtualKeyW,ToUnicodeEx,CharUpperW,3_2_6BDB0E79
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,3_2_0421E4F0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD6CCFE GetKeyState,GetKeyState,GetKeyState,SendMessageW,3_2_6BD6CCFE
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD83FB7 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_6BD83FB7
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD41000 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6BD41000
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421B43F ExitWindowsEx,3_2_0421B43F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421B41B ExitWindowsEx,3_2_0421B41B
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421B463 ExitWindowsEx,3_2_0421B463
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216C503_2_04216C50
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216EE03_2_04216EE0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042124B03_2_042124B0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422DDF03_2_0422DDF0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422D89F3_2_0422D89F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042189003_2_04218900
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422F9FF3_2_0422F9FF
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422EA1D3_2_0422EA1D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422E3413_2_0422E341
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042283813_2_04228381
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD5EB803_2_6BD5EB80
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD78B4D3_2_6BD78B4D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD54EC03_2_6BD54EC0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD7CEF53_2_6BD7CEF5
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEAA2C43_2_6BEAA2C4
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD6422E3_2_6BD6422E
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEA26A03_2_6BEA26A0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD545503_2_6BD54550
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD8B87D3_2_6BD8B87D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD67F5D3_2_6BD67F5D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD91DAB3_2_6BD91DAB
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD99C413_2_6BD99C41
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD3F3B03_2_6BD3F3B0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD9B04F3_2_6BD9B04F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD6D73F3_2_6BD6D73F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD5B4C03_2_6BD5B4C0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1001122F3_2_1001122F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_100024B03_2_100024B0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1000B66A3_2_1000B66A
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_100117803_2_10011780
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10010CDE3_2_10010CDE
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10012D913_2_10012D91
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10011E5C3_2_10011E5C
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AE00323_2_03AE0032
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AF12063_2_03AF1206
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AF17573_2_03AF1757
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AEB6413_2_03AEB641
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AF2D683_2_03AF2D68
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AF0CB53_2_03AF0CB5
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AE24873_2_03AE2487
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040ADD003_2_040ADD00
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040A7D403_2_040A7D40
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0409660F3_2_0409660F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04091E6F3_2_04091E6F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040AD7AF3_2_040AD7AF
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0409689F3_2_0409689F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040AD25E3_2_040AD25E
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040982BF3_2_040982BF
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040AF3BE3_2_040AF3BE
    Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bilite\ChromeSetup.exe A68355D5F7E99F3BE66D84EA5AD4A72F92D1611C53F959C0B4E742B363678578
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD7D350 appears 67 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD7F21F appears 44 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD7F115 appears 204 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD7F17E appears 67 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD6012B appears 63 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 04224300 appears 32 times
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6BD5D440 appears 31 times
    Source: ChromeSetup.exe.0.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
    Source: ChromeSetup.exe.0.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
    Source: MEuu1a2o6n.exe, 00000000.00000000.1683626540.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1801134346.0000000006FB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdaterSetup.exeB vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1684534454.00000000020D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exeBinary or memory string: OriginalFilenameV vs MEuu1a2o6n.exe
    Source: MEuu1a2o6n.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/29@0/1
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,3_2_04217620
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_04217740
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_04217B70
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,3_2_04216C50
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,3_2_04216050
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216690 CoInitialize,CoCreateInstance,SysFreeString,SysFreeString,CoUninitialize,3_2_04216690
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD593B0 GetModuleHandleA,FindResourceW,LoadResource,SizeofResource,LockResource,3_2_6BD593B0
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile created: C:\Users\Public\BiliteJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
    Source: C:\Users\Public\Bilite\Axialis\Update.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 3
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
    Source: MEuu1a2o6n.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: MEuu1a2o6n.exeReversingLabs: Detection: 26%
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile read: C:\Users\user\Desktop\MEuu1a2o6n.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\MEuu1a2o6n.exe "C:\Users\user\Desktop\MEuu1a2o6n.exe"
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: update.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dinput8.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: avicap32.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msvfw32.dllJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\findstr.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\findstr.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\findstr.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\findstr.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
    Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
    Source: ChromeSetup.exe.lnk.3.drLNK file: ..\..\Public\Bilite\ChromeSetup.exe
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: MEuu1a2o6n.exeStatic file information: File size 73957257 > 1048576
    Source: Binary string: UpdaterSetup.exe.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \YSS\Release\Update.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2659886433.0000000008AA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2659886433.0000000008ABB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1803676417.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbN source: powershell.exe, 00000013.00000002.2664011155.0000000008B36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2652877300.0000000007B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000013.00000002.2623179546.0000000003304000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UpdaterSetup.exe.pdbP source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb'K source: powershell.exe, 00000013.00000002.2659886433.0000000008ABB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb|WA source: powershell.exe, 00000013.00000002.2652877300.0000000007B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000013.00000002.2664011155.0000000008B36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1803676417.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: \YSS\Release\Update.pdbp: source: MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Detected unpacking (creates a PE file in dynamic memory)
    Source: C:\Users\Public\Bilite\Axialis\Update.exeUnpacked PE file: 3.2.Update.exe.4210000.6.unpack
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,3_2_04217490
    Source: Update.dll.0.drStatic PE information: section name: .00cfg
    Source: ChromeSetup.exe.0.drStatic PE information: section name: CPADinfo
    Source: ChromeSetup.exe.0.drStatic PE information: section name: malloc_h
    Source: backup.dll.3.drStatic PE information: section name: .00cfg
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04232470 push ebp; retf 3_2_04232474
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04232450 push ebp; retf 3_2_04232474
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04224345 push ecx; ret 3_2_04224358
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD5F210 push eax; mov dword ptr [esp], 8007000Eh3_2_6BD5F214
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDA18F6 pushfd ; retf 3_2_6BDA18F7
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDA188A pushfd ; retf 3_2_6BDA188B
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD6F863 push esi; ret 3_2_6BD6F865
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD7F1ED push ecx; ret 3_2_6BD7F200
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10009DF5 push ecx; ret 3_2_10009E08
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1001FE9A push ecx; ret 3_2_1001FEBF
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AECB0B push 701000CBh; retf 3_2_03AECB10
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AECB07 pushad ; retf 3_2_03AECB08
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AECB61 pushfd ; retf 3_2_03AECB64
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AECAFF push eax; retf 3_2_03AECB00
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AE9DCC push ecx; ret 3_2_03AE9DDF
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040A3D04 push ecx; ret 3_2_040A3D17
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile created: C:\Users\Public\Bilite\Axialis\Update.dllJump to dropped file
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile created: C:\Users\Public\Bilite\ChromeSetup.exeJump to dropped file
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeFile created: C:\Users\Public\Bilite\Axialis\Update.exeJump to dropped file
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD82B1D GetParent,IsIconic,GetParent,__EH_prolog3,3_2_6BD82B1D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD72D84 IsWindowVisible,IsIconic,3_2_6BD72D84
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD66D7F IsIconic,IsWindowVisible,3_2_6BD66D7F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD98264 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,3_2_6BD98264
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD6E40E IsIconic,3_2_6BD6E40E
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,3_2_0421B3C0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeWindow / User API: threadDelayed 5415Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2395Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 393Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7883Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1739Jump to behavior
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeDropped PE file which has not been started: C:\Users\Public\Bilite\ChromeSetup.exeJump to dropped file
    Source: C:\Users\Public\Bilite\Axialis\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
    Source: C:\Users\Public\Bilite\Axialis\Update.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_3-104971
    Source: C:\Users\Public\Bilite\Axialis\Update.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-104970
    Source: C:\Users\Public\Bilite\Axialis\Update.exeAPI coverage: 9.9 %
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 6964Thread sleep time: -73000s >= -30000sJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 6968Thread sleep time: -63000s >= -30000sJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 6244Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 4164Thread sleep count: 327 > 30Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 3244Thread sleep count: 5415 > 30Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 3244Thread sleep time: -54150s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\timeout.exe TID: 560Thread sleep count: 264 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 2395 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3096Thread sleep count: 393 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4624Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 7883 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 1739 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\timeout.exe TID: 5212Thread sleep count: 265 > 30
    Source: C:\Windows\SysWOW64\timeout.exe TID: 2256Thread sleep count: 265 > 30
    Source: C:\Windows\SysWOW64\timeout.exe TID: 6836Thread sleep count: 106 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\Public\Bilite\Axialis\Update.exeLast function: Thread delayed
    Source: C:\Users\Public\Bilite\Axialis\Update.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
    Source: C:\Users\Public\Bilite\Axialis\Update.exeThread sleep count: Count: 5415 delay: -10Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEBED8C FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6BEBED8C
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEBECDB FindFirstFileExW,3_2_6BEBECDB
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDA7D6F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6BDA7D6F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042180F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_042180F0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04215430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_04215430
    Source: C:\Users\Public\Bilite\Axialis\Update.exeThread delayed: delay time: 73000Jump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeThread delayed: delay time: 30000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: Update.exe, 00000003.00000002.3541846426.000000000139D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|A=
    Source: powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: Update.exe, 00000003.00000003.2507132069.00000000013A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_0(;
    Source: C:\Users\Public\Bilite\Axialis\Update.exeAPI call chain: ExitProcess graph end nodegraph_3-104468
    Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000215D0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD60AC8 OutputDebugStringA,GetLastError,3_2_6BD60AC8
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0422054D VirtualProtect ?,-00000001,00000104,?3_2_0422054D
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,3_2_04217490
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AE0AE4 mov eax, dword ptr fs:[00000030h]3_2_03AE0AE4
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_040900CD mov eax, dword ptr fs:[00000030h]3_2_040900CD
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,3_2_04216790
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00021A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00021A8F
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000215D0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00021764 SetUnhandledExceptionFilter,3_2_00021764
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,3_2_0421DF10
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04221F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_04221F67
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0421F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0421F00A
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BDD8246 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6BDD8246
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BEB19D8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6BEB19D8
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6BD7D236 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6BD7D236
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10008587
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10006815
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03AE67EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_03AE67EC

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Contains functionality to inject code into remote processes
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04217E50 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,3_2_04217E50
    Contains functionality to inject threads in other processes
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_042177E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_042177E0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe3_2_042177E0
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe3_2_042177E0
    Source: C:\Users\user\Desktop\MEuu1a2o6n.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: Update.exe, 00000003.00000002.3542630879.00000000043F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000218A4 cpuid 3_2_000218A4
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_04215430
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_6BD85B91
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6BEC5B73
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6BEC5B14
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6BEC58C1
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6BEC5826
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6BEC5E40
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6BEC5D3A
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6BEC5C93
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6BEC5C48
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6BEBB18C
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6BEBB7AB
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6BEC55D5
    Source: C:\Users\Public\Bilite\Axialis\Update.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000214B7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_000214B7
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04225D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_04225D22
    Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_04216A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,3_2_04216A70
    Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Update.exeBinary or memory string: acs.exe
    Source: Update.exeBinary or memory string: avcenter.exe
    Source: Update.exeBinary or memory string: kxetray.exe
    Source: Update.exeBinary or memory string: vsserv.exe
    Source: Update.exeBinary or memory string: avp.exe
    Source: Update.exeBinary or memory string: cfp.exe
    Source: Update.exeBinary or memory string: KSafeTray.exe
    Source: Update.exeBinary or memory string: 360Safe.exe
    Source: Update.exeBinary or memory string: 360tray.exe
    Source: Update.exeBinary or memory string: rtvscan.exe
    Source: Update.exeBinary or memory string: TMBMSRV.exe
    Source: Update.exeBinary or memory string: ashDisp.exe
    Source: Update.exeBinary or memory string: 360Tray.exe
    Source: Update.exeBinary or memory string: avgwdsvc.exe
    Source: Update.exeBinary or memory string: AYAgent.aye
    Source: Update.exeBinary or memory string: QUHLPSVC.EXE
    Source: Update.exeBinary or memory string: RavMonD.exe
    Source: Update.exeBinary or memory string: Mcshield.exe
    Source: Update.exeBinary or memory string: K7TSecurity.exe

    Stealing of Sensitive Information

    barindex
    Yara detected GhostRat
    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 2344, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected GhostRat
    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 2344, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		1
    Replication Through Removable Media    		1
    Windows Management Instrumentation    		1
    Scripting    		1
    DLL Side-Loading    		1
    Disable or Modify Tools    		141
    Input Capture    		2
    System Time Discovery    		Remote Services11
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    Data Encrypted for Impact
    CredentialsDomainsDefault Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Peripheral Device Discovery    		Remote Desktop Protocol1
    Screen Capture    		2
    Encrypted Channel    		Exfiltration Over Bluetooth1
    System Shutdown/Reboot
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)222
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager3
    File and Directory Discovery    		SMB/Windows Admin Shares141
    Input Capture    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Software Packing    		NTDS38
    System Information Discovery    		Distributed Component Object Model2
    Clipboard Data    		Protocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets141
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Masquerading    		Cached Domain Credentials31
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Modify Registry    		DCSync4
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
    Virtualization/Sandbox Evasion    		Proc Filesystem11
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Access Token Manipulation    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
    Process Injection    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
    Indicator Removal    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581462 Sample: MEuu1a2o6n.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 67 Suricata IDS alerts for network traffic 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 7 other signatures 2->73 9 MEuu1a2o6n.exe 10 2->9         started        process3 file4 51 C:\Users\Public\Bilite\ChromeSetup.exe, PE32 9->51 dropped 53 C:\Users\Public\Bilite\Axialis\Update.exe, PE32 9->53 dropped 55 C:\Users\Public\Bilite\Axialis\Update.dll, PE32 9->55 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 75 Bypasses PowerShell execution policy 12->75 15 Update.exe 3 8 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 57 118.107.44.219, 18852, 19091, 49790 BCPL-SGBGPNETGlobalASNSG Singapore 15->57 45 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->49 dropped 59 Detected unpacking (creates a PE file in dynamic memory) 15->59 61 Contains functionality to inject threads in other processes 15->61 63 Contains functionality to capture and log keystrokes 15->63 65 Contains functionality to inject code into remote processes 15->65 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        file9 signatures10 process11 process12 28 powershell.exe 1 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 39 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 tasklist.exe 1 26->39         started        41 timeout.exe 1 26->41         started        43 10 other processes 26->43 signatures13 77 Loading BitLocker PowerShell Module 33->77

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    MEuu1a2o6n.exe26%ReversingLabsWin32.Ransomware.Generic
    MEuu1a2o6n.exe100%AviraTR/Crypt.CFI.Gen

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\Bilite\Axialis\Update.dll37%ReversingLabsWin32.Backdoor.Farfli
    C:\Users\Public\Bilite\Axialis\Update.exe0%ReversingLabs
    C:\Users\Public\Bilite\ChromeSetup.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\backup.dll37%ReversingLabsWin32.Backdoor.Farfli
    C:\Users\user\AppData\Local\Temp\backup.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://html4/loose.dtdMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000012.00000002.2651491613.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://crashpad.chromium.org/MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://sectigo.com/CPS0MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://ocsp.sectigo.com0MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000012.00000002.2625999372.000000000586E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2625999372.00000000052D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://crashpad.chromium.org/bug/newMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://.cssMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6lBpowershell.exe, 00000012.00000002.2625999372.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://m.google.com/devicemanagement/data/apiMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002B52000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2506383329.0000000002F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dl.google.com/update2/installers/icons/MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmp, MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000012.00000002.2625999372.000000000586E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2625999372.00000000052D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://support.google.com/installer/MEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000012.00000002.2651491613.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2640306400.0000000005F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://support.google.com/installer/%s?product=%s&error=%dMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000003124000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000012.00000002.2625999372.0000000005181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2626771904.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://.jpgMEuu1a2o6n.exe, 00000000.00000003.1786658826.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  118.107.44.219
                                                                  		unknownSingapore
                                                                  		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1581462
                                                                  Start date and time:2024-12-27 20:06:57 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 19s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:29
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:MEuu1a2o6n.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:B686B0A91C6DA4D4EF4EB9894F41AAEF.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@43/29@0/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 25%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 118
                                                                  • Number of non-executed functions: 292
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target MEuu1a2o6n.exe, PID 764 because there are no executed function
                                                                  • Execution Graph export aborted for target powershell.exe, PID 2764 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 5076 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • VT rate limit hit for: MEuu1a2o6n.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  118.107.44.219OdiHmn3pRK.exeGet hashmaliciousUnknownBrowse

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    BCPL-SGBGPNETGlobalASNSGOdiHmn3pRK.exeGet hashmaliciousUnknownBrowse
                                                                    • 118.107.44.219
                                                                    S1Rv3ioghk.exeGet hashmaliciousUnknownBrowse
                                                                    • 118.107.44.112
                                                                    WiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                                    • 134.122.155.90
                                                                    armv7l.elfGet hashmaliciousUnknownBrowse
                                                                    • 134.122.132.194
                                                                    492c3445eddadc4b2c411a6eb79813339a0b3fc6d2d69.dllGet hashmaliciousUnknownBrowse
                                                                    • 134.122.134.93
                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                    • 202.95.11.110
                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                    • 137.220.247.57
                                                                    MicrosoftEdgeUpdateSetup.exeGet hashmaliciousUnknownBrowse
                                                                    • 134.122.134.93
                                                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                    • 134.122.191.187
                                                                    http://93287.mobiGet hashmaliciousUnknownBrowse
                                                                    • 137.220.229.108

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\Users\Public\Bilite\ChromeSetup.exeWiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                                      WiezmDFd6L.exeGet hashmaliciousUnknownBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\Public\Bilite\Axialis\IiViS

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        File Type:openssl enc'd data with salted password, base64 encoded
                                                                        Category:dropped
                                                                        Size (bytes):44
                                                                        Entropy (8bit):4.925118550357139
                                                                        Encrypted:false
                                                                        SSDEEP:3:iqknz1wReNcIIix+:iliRyIH
                                                                        MD5:DF834B315AFBDF1009F18093561F24B0
                                                                        SHA1:E6D34AA40B027DFE0770D7EA47EB0F8391FDE9A5
                                                                        SHA-256:32627CBBDCD3BCC5FC0A9BFABA8F83D3B0658117E957656C61E6A40F1B3F198E
                                                                        SHA-512:26A8B16B1CF69B2EF5B675F4C1AE9CFFAF97AF7B3F5CF04BC7DBB2EA352AFB4D612229F77A4E67CAE1F69CCC289330DAB917D1260E3985B617027E637515CDC1
                                                                        Malicious:false
                                                                        Preview:U2FsdGVkX1+F4WeqPiQSr4Yjb4xJYXlIJqx/6mGhFoo=

                                                                        C:\Users\Public\Bilite\Axialis\Update.dll

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2289432
                                                                        Entropy (8bit):6.608881172420025
                                                                        Encrypted:false
                                                                        SSDEEP:49152:5WDF0mklRXopNsAyGrLf2x2umZTltQCv3n89btEQBz68IaV:5Wh0mklRXo7fyGrTw2umjtQCv3nutEQR
                                                                        MD5:B1B3A26D557D3FFD4FB1358290A0E13E
                                                                        SHA1:763C92A20DB285249F9C043F1249C2C079D45664
                                                                        SHA-256:767CD378AF0B0C6B6665DC89078DB9D52D81EBA13AB72B84512A33C912658711
                                                                        SHA-512:4F66F9E72634BEC4482ACEDE8D15792710EB5A9FC761603B49EBEA096E88F07F3E92B201A68CCD7882DDE9A6CD5B9408C2F082EFAAB937B7E2C4EAACD030B30C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 37%
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....sig...........!.........:......S........................................`#...........@.........................<...O.......h..... ..H............"..)... !..0..\........................b......P................................................text............................... ..`.rdata...].......^..................@..@.data...@..... ..^..................@....00cfg........ ......H .............@..@.tls.......... ......J .............@....rsrc....H.... ..H...L .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\Public\Bilite\Axialis\Update.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):395368
                                                                        Entropy (8bit):5.090673225697451
                                                                        Encrypted:false
                                                                        SSDEEP:6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
                                                                        MD5:FB325C945A08D06FE91681179BDCCC66
                                                                        SHA1:F5D91B7D75D34E156066AB4099E0FD0DF9227B32
                                                                        SHA-256:0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
                                                                        SHA-512:2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\Public\Bilite\Axialis\xfkiejfk.png

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):69947528
                                                                        Entropy (8bit):7.999995221278417
                                                                        Encrypted:true
                                                                        SSDEEP:1572864:MAm4Pz2HsA8kQp53/qIgnsCisxhhvxTLhAeXDxv4i/d3AC+ZL:Mjoz98QbPqIgnsCisxhhJlAeXDxvVgL
                                                                        MD5:F3BECB4772D5FFDA3B45506E796FE4CE
                                                                        SHA1:CC14A431A7D6C64CFE0683E0333869959515C587
                                                                        SHA-256:3FDC78A3A74C8BA0C37093AA1308FD2A439CA44052B4E9EF83CC5E90C1589BD6
                                                                        SHA-512:D9334E287A750235BC13AB11F8E3760467CDAB8CE108ECE9DEFAFBA07D60094D3B20EFBD31C61296BA7E7BEC7A1EE67F1BD5E75F99E0E831FE74A48D43FB8357
                                                                        Malicious:false
                                                                        Preview:..>.....x...@..{)`B.........*......F......P j.~.%.c..J2,j.nXj~.._.O...h...$........F)d...|."......G..T..R+Ikt.0'.q..8..9\..b[.H...d.3i.ly ..D.l..0D.!...69...M.!-{nX.....:k.".h...e.G..NN.W.m.+..`.*......[..5.ZL...v.6.\2..k.t.....!k...j..pX...S.<.YD^i@...,.PMy..B.....#^uR.M....K...g.f.....1....k."..&$..XY....@...?..R:.........@.Q|.)D..C...U.V.(.D..lYHh....~o.%B..}.=.;X)6...h....v.......{J<7X)....$H[.]^...._].sq....M.........<..`a&Y=.@S...}Z.%...<..S..v]..'Ri.....`{..:.......9....F.s.]s.(OC8.....u.&2.Ugw}.-..4..i.0..Vcg..]..t.{....z.}...@)).@....v.*.K....D...X%._.t.b.)B.o....fp._.M..#..d...Q...dgI..j#.k.T.....).'MP;.........:......,s......_.&m....v.a$M..!...L-.|Z.c.6....A..j'...K..4...v.%..C..E.h.C...P......A-S..\.......7..v....a...H...|.Om....1....E..\...6.#.:f.^.N....N.r..\v.[.....$..C.....c....P!x......%.d...B...d.A.......Sv.8.D..h^....4.S.yb2.r.5er..|{.HA<.".>.v.?...R..S<{QR..8...;..&F.=.6f..._u...fc(.G..m..,..T.f/..t

                                                                        C:\Users\Public\Bilite\ChromeSetup.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):10384768
                                                                        Entropy (8bit):6.780996075213578
                                                                        Encrypted:false
                                                                        SSDEEP:196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyY2:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXB
                                                                        MD5:C8B07E0F9BA7C97B55CB29835FFAF5F6
                                                                        SHA1:9FFFC728C361DCDD4828212F1F0E56A0DAC92463
                                                                        SHA-256:A68355D5F7E99F3BE66D84EA5AD4A72F92D1611C53F959C0B4E742B363678578
                                                                        SHA-512:0AB0D39F0FBCDB11E241AE95CC540A54EF4D9A6E611AE516EF189627E73505696AEBEDACE7D4527C40F31A021850CB7CB563F4D0CE0411BE2F9B87ABA2493866
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                                                                        • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...{*2g.........."......T4...i...................@......................................@.........................<.=.U.....=.@.....@..H^..........,...I...`.......k=.....................Pi=......q4.............@.=.l............................text....S4......T4................. ..`.rdata..`....p4......X4.............@..@.data........ >..R....=.............@....tls....u.....?......N>.............@...CPADinfo(.....?......P>.............@...malloc_h......@......R>............. ..`.rsrc....H^...@..H^..T>.............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1360
                                                                        Entropy (8bit):5.4072854279441245
                                                                        Encrypted:false
                                                                        SSDEEP:24:3eWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R88bJ02r2W3b2:uWSU4y4RQmFoUeWmfmZ9tlNWR832qab2
                                                                        MD5:963F0AC2D18867FA10DA02614C0910ED
                                                                        SHA1:2D977EEA018BB999D9EDC01D4E66414E659EF56A
                                                                        SHA-256:B176BC2911E4B612F1ADBC2FC7B24A06A7BD7535DA1E2B68C7E39A618C7979F2
                                                                        SHA-512:569083E9BD8F8C62078A86ACBFC6EDB416513B0B1B58E01349C466D70B4259B04B5A58E162056DD120F42E12C2FA7BFBE0E021466A3DA9EEFA366D50A75C2AA0
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                        C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:XML 1.0 document, ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):1893
                                                                        Entropy (8bit):5.212287775015203
                                                                        Encrypted:false
                                                                        SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                        MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                        SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                        SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                        SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mkksvb3.gng.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bt1gvye.kp2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiiqnrlz.ige.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esexsacs.g2s.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipvk0jej.2ek.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0rzfzwd.5t2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkinl21i.1fh.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0qckiuj.c43.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\backup.dll

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2289432
                                                                        Entropy (8bit):6.608881172420025
                                                                        Encrypted:false
                                                                        SSDEEP:49152:5WDF0mklRXopNsAyGrLf2x2umZTltQCv3n89btEQBz68IaV:5Wh0mklRXo7fyGrTw2umjtQCv3nutEQR
                                                                        MD5:B1B3A26D557D3FFD4FB1358290A0E13E
                                                                        SHA1:763C92A20DB285249F9C043F1249C2C079D45664
                                                                        SHA-256:767CD378AF0B0C6B6665DC89078DB9D52D81EBA13AB72B84512A33C912658711
                                                                        SHA-512:4F66F9E72634BEC4482ACEDE8D15792710EB5A9FC761603B49EBEA096E88F07F3E92B201A68CCD7882DDE9A6CD5B9408C2F082EFAAB937B7E2C4EAACD030B30C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 37%
                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....sig...........!.........:......S........................................`#...........@.........................<...O.......h..... ..H............"..)... !..0..\........................b......P................................................text............................... ..`.rdata...].......^..................@..@.data...@..... ..^..................@....00cfg........ ......H .............@..@.tls.......... ......J .............@....rsrc....H.... ..H...L .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\backup.exe

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):395368
                                                                        Entropy (8bit):5.090673225697451
                                                                        Encrypted:false
                                                                        SSDEEP:6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
                                                                        MD5:FB325C945A08D06FE91681179BDCCC66
                                                                        SHA1:F5D91B7D75D34E156066AB4099E0FD0DF9227B32
                                                                        SHA-256:0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
                                                                        SHA-512:2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\monitor.bat

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):769
                                                                        Entropy (8bit):5.113976261619789
                                                                        Encrypted:false
                                                                        SSDEEP:24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
                                                                        MD5:F7F23953F7C236A0F12AE4848F174480
                                                                        SHA1:E222C191BE437B39FB294EDD1FCCAF961B1F7265
                                                                        SHA-256:0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
                                                                        SHA-512:2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
                                                                        Malicious:false
                                                                        Preview:@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                                                        C:\Users\user\AppData\Local\Temp\monitor.pid

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):2.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:OT:OT
                                                                        MD5:E8F2779682FD11FA2067BEFFC27A9192
                                                                        SHA1:F9A2D0319FBE0802C17A9909108D43C7E9C326EF
                                                                        SHA-256:0D589A18C4705F5616CE3205AD85BD59DA85FA0C40EAEFBEE054F7F863F3CB1A
                                                                        SHA-512:E2A30BEA58120AAECAAC14F85F6A2E5CA555886AF4FEA9A7DEBEEAD662714F876054EE344083FC68404D06908D6534418E7CDA329BE1E52BF76308531EF947A8
                                                                        Malicious:false
                                                                        Preview:2896

                                                                        C:\Users\user\AppData\Local\updated.ps1

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):151
                                                                        Entropy (8bit):4.741657013789009
                                                                        Encrypted:false
                                                                        SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                        MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                        SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                        SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                        SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                        Malicious:true
                                                                        Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                        C:\Users\user\Desktop\ChromeSetup.exe.lnk

                                                                        Download File
                                                                        Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 27 18:07:58 2024, mtime=Fri Dec 27 18:07:59 2024, atime=Sun Dec 8 12:55:51 2024, length=10384768, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):1056
                                                                        Entropy (8bit):4.689998462201827
                                                                        Encrypted:false
                                                                        SSDEEP:12:8LvRGpUlGIBCICHqX2RiXQACmqix6+sxXlGrjEjAgslGlHavR9VyVv44t2YZ/ele:8LpGgGGh5IorUAgsDvR9VyVoqyFm
                                                                        MD5:489EC7A31600B7B3FDE2608F7FD32147
                                                                        SHA1:8DF65D94B96BD545378D85A2A90957821E6E6A0C
                                                                        SHA-256:B15960818ACAF670C71DF746B7065411323F9FB0C2F70ECCC66361AF0FC3B1C3
                                                                        SHA-512:157C676BB8965DDD83F29A183B988C9836398A3F01271100B15AF10712A5A8550BA0F5733AA2DCC640EDB6513AFD31FB6A5E6BB2DCDF0F27C2A0F4EDEEAA0405
                                                                        Malicious:false
                                                                        Preview:L..................F.... ........X......X...@.xI...u...........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y......................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y....Public..f......O.I.Y......+...............<.....w=w.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y....Bilite..>......Y...Y.............................N..B.i.l.i.t.e.....l.2..u...Y.n .CHROME~1.EXE..P......Y...Y......E....................."e{.C.h.r.o.m.e.S.e.t.u.p...e.x.e.......U...............-.......T............[.m.....C:\Users\Public\Bilite\ChromeSetup.exe..#.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.C.h.r.o.m.e.S.e.t.u.p...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......562258...........hT..CrF.f4... .u.T..b...,.......hT..CrF.f4... .u.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS.

                                                                        \Device\Null

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\timeout.exe
                                                                        File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                        Category:dropped
                                                                        Size (bytes):98
                                                                        Entropy (8bit):4.371166116226072
                                                                        Encrypted:false
                                                                        SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEn:hYFRamFSQZ0lv5y/9JctE
                                                                        MD5:28BEC8599BE82210A6181000140CAED7
                                                                        SHA1:2BA5D6E3CFFB0F59FB936577C07C47D72150394E
                                                                        SHA-256:29598CEF0C79657A520DC2F778C8C6D72CE5D44124F3E93E318105B378C3B54B
                                                                        SHA-512:83351881D559145F9BEC84669DEE8CE79C9A95291B8BA8889625C5307C5D99AE7BB9776201AC3A3E941C144EDBB6967B85582F9D695A298710792E46DBA9F6B3
                                                                        Malicious:false
                                                                        Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.9999862599196385
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:MEuu1a2o6n.exe
                                                                        File size:73'957'257 bytes
                                                                        MD5:b686b0a91c6da4d4ef4eb9894f41aaef
                                                                        SHA1:d5376faea233ddf3d41de066c35b8a51b88c2d02
                                                                        SHA256:cea23cddf4b3ab0e7a61377df8dd847b52a7dd84ba5a3a6a3e547f329a5d29fa
                                                                        SHA512:8b3fe6da763b6ddd3303c454bc904dc7e1632e34651d1a1b82e8fae104742f74c2b435d87c0231103eb73712feb19d2434fd665f95fa0b7509a270503de617ab
                                                                        SSDEEP:1572864:hvZ64UFS44SPDVZpy+1gwFIFhRMNSu8pxpwY9muH4dPuf29k4:hvZ6pbZPDVm3hSN5aIY9zH4xufj4
                                                                        TLSH:F0F733FEC2E39800D18A36F5F59DEF65D6EF80B8CB05A7026C80D9229952E51D74FB60
                                                                        File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@.......................... ......y|.......................................P...........z.................

                                                                        File Icon

                                                                        Icon Hash:674e4f45a7297639

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x411def
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push FFFFFFFFh
                                                                        push 00414C50h
                                                                        push 00411F80h
                                                                        mov eax, dword ptr fs:[00000000h]
                                                                        push eax
                                                                        mov dword ptr fs:[00000000h], esp
                                                                        sub esp, 68h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        mov dword ptr [ebp-18h], esp
                                                                        xor ebx, ebx
                                                                        mov dword ptr [ebp-04h], ebx
                                                                        push 00000002h
                                                                        call dword ptr [00413184h]
                                                                        pop ecx
                                                                        or dword ptr [00419924h], FFFFFFFFh
                                                                        or dword ptr [00419928h], FFFFFFFFh
                                                                        call dword ptr [00413188h]
                                                                        mov ecx, dword ptr [0041791Ch]
                                                                        mov dword ptr [eax], ecx
                                                                        call dword ptr [0041318Ch]
                                                                        mov ecx, dword ptr [00417918h]
                                                                        mov dword ptr [eax], ecx
                                                                        mov eax, dword ptr [00413190h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov dword ptr [00419920h], eax
                                                                        call 00007F835CC877B2h
                                                                        cmp dword ptr [00417710h], ebx
                                                                        jne 00007F835CC8769Eh
                                                                        push 00411F78h
                                                                        call dword ptr [00413194h]
                                                                        pop ecx
                                                                        call 00007F835CC87784h
                                                                        push 00417048h
                                                                        push 00417044h
                                                                        call 00007F835CC8776Fh
                                                                        mov eax, dword ptr [00417914h]
                                                                        mov dword ptr [ebp-6Ch], eax
                                                                        lea eax, dword ptr [ebp-6Ch]
                                                                        push eax
                                                                        push dword ptr [00417910h]
                                                                        lea eax, dword ptr [ebp-64h]
                                                                        push eax
                                                                        lea eax, dword ptr [ebp-70h]
                                                                        push eax
                                                                        lea eax, dword ptr [ebp-60h]
                                                                        push eax
                                                                        call dword ptr [0041319Ch]
                                                                        push 00417040h
                                                                        push 00417000h
                                                                        call 00007F835CC8773Ch

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x7aae.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x1a0000x7aae0x7c00681924a1176975a6419cbf4cfcb9eeb5False0.8595325100806451data7.469162062602366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x1a3040x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41397849462365593
                                                                        RT_STRING0x1a5ec0x278data0.3212025316455696
                                                                        RT_STRING0x1a8640x328data0.3910891089108911
                                                                        RT_STRING0x1ab8c0xe4data0.5482456140350878
                                                                        RT_STRING0x1ac700xbcdata0.5691489361702128
                                                                        RT_STRING0x1ad2c0x2dcdata0.44808743169398907
                                                                        RT_STRING0x1b0080x3b4data0.38396624472573837
                                                                        RT_STRING0x1b3bc0x2c4data0.4166666666666667
                                                                        RT_RCDATA0x1b6800x10data1.5
                                                                        RT_RCDATA0x1b6900x360data0.6944444444444444
                                                                        RT_GROUP_ICON0x1b9f00x14dataEnglishUnited States1.2
                                                                        RT_VERSION0x1ba040x324dataEnglishUnited States0.4552238805970149

                                                                        Imports

                                                                        DLLImport
                                                                        COMCTL32.dll
                                                                        KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                                        USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                                        GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                                        SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                                        ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                                        OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                                        MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-27T20:09:17.080066+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449801118.107.44.21919091TCP
                                                                        2024-12-27T20:10:28.388205+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449812118.107.44.21919091TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 27, 2024 20:09:12.748766899 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:12.868302107 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:12.868743896 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.225862026 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225884914 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225893974 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225946903 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.225955009 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225965977 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225986004 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.225996971 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.226006031 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.226030111 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.226155996 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.226174116 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.226183891 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.226217985 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.226241112 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.347434044 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.347562075 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.347717047 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.351717949 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.403574944 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.438049078 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.438060999 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.438114882 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.440524101 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.440651894 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.440711021 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.449234009 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.449367046 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.449420929 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.457592964 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.457731962 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.457783937 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.466223001 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.466285944 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.469800949 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.474713087 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.474878073 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.474925041 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.483704090 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.483767986 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.483839035 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.491765976 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.491868973 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.492012978 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.500286102 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.500488043 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.500745058 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.508781910 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.508915901 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.508960962 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.525461912 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.525475025 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.525580883 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.560791969 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.560846090 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.560892105 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.565004110 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.606678009 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.650775909 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.650788069 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.650860071 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.652313948 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.652394056 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.652436972 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.659116983 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.659286022 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.659476042 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.667242050 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.667486906 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.667552948 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.668423891 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.668590069 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.668685913 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.673830032 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.673927069 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.674026012 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.679203033 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.679328918 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.679384947 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.684537888 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.684680939 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.684808016 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.690015078 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.690077066 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.690129042 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.695283890 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.695417881 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.695527077 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.699208975 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.699340105 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.699388981 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.703247070 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.703327894 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.703582048 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.707146883 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.707659960 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.707715034 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.710973978 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.711188078 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.711242914 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.714828014 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.714981079 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.715027094 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.718710899 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.718843937 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.718920946 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.722666979 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.722799063 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.722882986 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.880827904 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.880841970 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.880913019 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.882427931 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.882535934 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.882591963 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.884991884 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.885132074 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.887614965 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.888339043 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.888587952 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.888652086 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.891701937 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.891788006 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.891858101 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.895071983 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.895155907 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.895201921 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.898407936 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.898525000 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.898574114 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.901797056 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.902065992 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.902122021 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.905086994 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.905210972 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.905277014 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.908458948 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.908545017 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.908591986 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.911936998 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.911948919 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.911994934 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.915138006 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.915225029 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.915613890 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.918508053 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.918616056 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.919325113 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:14.921817064 CET1885249790118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:14.921864986 CET4979018852192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:16.959191084 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:17.079521894 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:17.079850912 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:17.080065966 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:17.200092077 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:18.595470905 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:18.637975931 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:18.652520895 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:18.772799969 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:18.772844076 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:18.772959948 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442272902 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442332983 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442343950 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442377090 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.442406893 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442423105 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442435026 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442445993 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442447901 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.442471981 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.442620993 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442631960 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442646980 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.442667961 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.442691088 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.450712919 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.497313023 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.561956882 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.606693983 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.659007072 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.659183025 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.659239054 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.663062096 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.663172960 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.663220882 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.671660900 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.671752930 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.671799898 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.679920912 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.680026054 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.680074930 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.688323021 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.688518047 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.688559055 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.696763039 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.696867943 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.696916103 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.705106020 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.705380917 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.705430984 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.713501930 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.713651896 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.713699102 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.722048998 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.722060919 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.722114086 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.730375051 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.730496883 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.730541945 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.738830090 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.738930941 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.738981009 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.747190952 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.794224024 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.875926018 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.876000881 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.876050949 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.878804922 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.878894091 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.878953934 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.884474039 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.884581089 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.884629965 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.890088081 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.890161991 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.890204906 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.895648003 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.895658970 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.895704985 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.901257992 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.901412964 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.901452065 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.906831980 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.906980038 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.907022953 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.912481070 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.912599087 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.912641048 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.918076038 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.918229103 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.918267965 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.923747063 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.923897028 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.923940897 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.929327011 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.929435968 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.929483891 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.934950113 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.935152054 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.935203075 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.940597057 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.940776110 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.940821886 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.946329117 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.946531057 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.946577072 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.951824903 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.951961040 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.952003956 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.957446098 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.957581997 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.957628012 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.963115931 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.963227987 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.963272095 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.968734026 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.968852043 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.968899965 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:19.974330902 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.974348068 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:19.974399090 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.067639112 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.093048096 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.093113899 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.093214989 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.095022917 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.095067024 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.095155001 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.099379063 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.099430084 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.099458933 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.103660107 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.103708982 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.103760958 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.108484983 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.108511925 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.108530998 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.112267017 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.112315893 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.112426043 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.116714954 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.116756916 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.116826057 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.120951891 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.120996952 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.121068001 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.125199080 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.125240088 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.125307083 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.129333019 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.129383087 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.129447937 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.133557081 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.133606911 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.133657932 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.137698889 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.137748003 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.137775898 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.141894102 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.141936064 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.141954899 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.146044016 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.146084070 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.146130085 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.150238991 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.150281906 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.150367022 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.154535055 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.154578924 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.154680014 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.158624887 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.158670902 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.158742905 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.162789106 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.162837029 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.162868023 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.166985989 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.167030096 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.167078018 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.171209097 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.171220064 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.171247005 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.175334930 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.175381899 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.175458908 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.179666042 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.179703951 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.179953098 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.183727980 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.183770895 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.183826923 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.187891960 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.187932014 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.187998056 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.192085028 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.192122936 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.192207098 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.196307898 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.196351051 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.196681023 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.200449944 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.200551033 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.200557947 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.204632998 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.204688072 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.204761982 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.208914995 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.208956003 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.208962917 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.212990999 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.213102102 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.213129044 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.217230082 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.217355013 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.217385054 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.221374035 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.221420050 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.221491098 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.225519896 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.226367950 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.275527000 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.309954882 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.310102940 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.310193062 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.311577082 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.311650038 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.311795950 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.314606905 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.314722061 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.314778090 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.317939043 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.317987919 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.318047047 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.321707010 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.321765900 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.321829081 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.324004889 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.324055910 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.324131012 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.326967001 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.327023983 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.327106953 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.330073118 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.330115080 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.330141068 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.332914114 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.332988977 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.333000898 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.335867882 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.335947990 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.335948944 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.338493109 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.338547945 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.338619947 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.341355085 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.341403961 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.341541052 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.344362974 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.344422102 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.344471931 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.346949100 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.346997023 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:20.347084999 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.348263979 CET1909149801118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:20.348411083 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:21.439682007 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:21.559345007 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:21.559415102 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:23.356825113 CET4980119091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:26.775233984 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:26.894840002 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:26.894927979 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:26.894979000 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:26.895059109 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:27.532835960 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:27.533104897 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:27.652760029 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:38.560045004 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:38.679734945 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:39.097475052 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:39.153575897 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:39.163419962 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:39.284593105 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:55.263165951 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:55.383035898 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:55.800561905 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:09:55.841114998 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:55.901287079 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:09:56.020895958 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:12.075613022 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:12.195290089 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:12.613104105 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:12.653630972 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:12.715729952 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:12.835367918 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:28.388205051 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:28.508941889 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:28.926780939 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:28.981780052 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:29.049133062 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:29.168574095 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:44.700655937 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:44.820193052 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:45.258063078 CET1909149812118.107.44.219192.168.2.4
                                                                        Dec 27, 2024 20:10:45.309976101 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:45.327867031 CET4981219091192.168.2.4118.107.44.219
                                                                        Dec 27, 2024 20:10:45.447947979 CET1909149812118.107.44.219192.168.2.4

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:14:07:49
                                                                        Start date:27/12/2024
                                                                        Path:C:\Users\user\Desktop\MEuu1a2o6n.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\MEuu1a2o6n.exe"
                                                                        Imagebase:0x400000
                                                                        File size:73'957'257 bytes
                                                                        MD5 hash:B686B0A91C6DA4D4EF4EB9894F41AAEF
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:14:08:00
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        Imagebase:0x240000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:14:08:00
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:14:08:01
                                                                        Start date:27/12/2024
                                                                        Path:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                        Imagebase:0x20000
                                                                        File size:395'368 bytes
                                                                        MD5 hash:FB325C945A08D06FE91681179BDCCC66
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:9
                                                                        Start time:14:09:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:10
                                                                        Start time:14:09:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:11
                                                                        Start time:14:09:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                        Imagebase:0xc60000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:14:09:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "Update.exe"
                                                                        Imagebase:0xe80000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:14:09:11
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                        Imagebase:0x240000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                        Imagebase:0x240000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout /t 30 /nobreak
                                                                        Imagebase:0xbb0000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                        Imagebase:0x620000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:14:09:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                        Imagebase:0x620000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:14:09:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                        Imagebase:0xc60000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:14:09:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "Update.exe"
                                                                        Imagebase:0xe80000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:14:09:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout /t 30 /nobreak
                                                                        Imagebase:0xbb0000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:14:10:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                        Imagebase:0xc60000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:24
                                                                        Start time:14:10:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "Update.exe"
                                                                        Imagebase:0xe80000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:14:10:12
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout /t 30 /nobreak
                                                                        Imagebase:0xbb0000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:14:10:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                        Imagebase:0xc60000
                                                                        File size:79'360 bytes
                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:14:10:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:findstr /I "Update.exe"
                                                                        Imagebase:0xe80000
                                                                        File size:29'696 bytes
                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:14:10:42
                                                                        Start date:27/12/2024
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout /t 30 /nobreak
                                                                        Imagebase:0xbb0000
                                                                        File size:25'088 bytes
                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:6.5%
                                                                          Dynamic/Decrypted Code Coverage:32.6%
                                                                          Signature Coverage:7.9%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:101
                                                                          execution_graph 104383 10002d80 ResetEvent InterlockedExchange timeGetTime socket 104384 10002de8 104383->104384 104385 10002dfc lstrlenW WideCharToMultiByte 104383->104385 104437 10006815 104384->104437 104404 100067ff 104385->104404 104388 10002df6 104390 10002e59 collate 104391 10002e60 htons connect 104390->104391 104392 10002e96 104390->104392 104391->104392 104393 10002eab setsockopt setsockopt setsockopt setsockopt 104391->104393 104394 10006815 ___strgtold12_l 5 API calls 104392->104394 104395 10002f52 InterlockedExchange 104393->104395 104396 10002f24 WSAIoctl 104393->104396 104397 10002ea5 104394->104397 104416 1000721b 104395->104416 104396->104395 104400 1000721b 748 API calls 104401 10002f91 104400->104401 104402 10006815 ___strgtold12_l 5 API calls 104401->104402 104403 10002fa6 104402->104403 104406 10006f17 104404->104406 104407 10002e22 lstrlenW WideCharToMultiByte gethostbyname 104406->104407 104409 10006f3d std::exception::exception 104406->104409 104445 10006e83 104406->104445 104462 10008550 DecodePointer 104406->104462 104407->104390 104410 10006f7b 104409->104410 104463 100073e9 76 API calls __cinit 104409->104463 104464 10006e24 66 API calls std::exception::operator= 104410->104464 104412 10006f85 104465 10007836 RaiseException 104412->104465 104415 10006f96 104417 1000722b 104416->104417 104418 1000723f 104416->104418 104501 1000710d 66 API calls __getptd_noexit 104417->104501 104474 10009754 TlsGetValue 104418->104474 104421 10007230 104502 10008702 11 API calls ___strgtold12_l 104421->104502 104425 10002f79 104425->104400 104427 100072a2 104503 10006e49 66 API calls 2 library calls 104427->104503 104430 100072a8 104430->104425 104504 10007133 66 API calls 2 library calls 104430->104504 104434 10007267 CreateThread 104434->104425 104436 1000729a GetLastError 104434->104436 104562 100071b6 104434->104562 104436->104427 104438 1000681d 104437->104438 104439 1000681f IsDebuggerPresent 104437->104439 104438->104388 104985 1000b5e6 104439->104985 104442 1000794f SetUnhandledExceptionFilter UnhandledExceptionFilter 104443 10007974 GetCurrentProcess TerminateProcess 104442->104443 104444 1000796c __call_reportfault 104442->104444 104443->104388 104444->104443 104446 10006f00 104445->104446 104453 10006e91 104445->104453 104472 10008550 DecodePointer 104446->104472 104448 10006f06 104473 1000710d 66 API calls __getptd_noexit 104448->104473 104451 10006ebf RtlAllocateHeap 104451->104453 104461 10006ef8 104451->104461 104453->104451 104454 10006e9c 104453->104454 104455 10006eec 104453->104455 104459 10006eea 104453->104459 104469 10008550 DecodePointer 104453->104469 104454->104453 104466 10008508 66 API calls __NMSG_WRITE 104454->104466 104467 10008359 66 API calls 6 library calls 104454->104467 104468 10008098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 104454->104468 104470 1000710d 66 API calls __getptd_noexit 104455->104470 104471 1000710d 66 API calls __getptd_noexit 104459->104471 104461->104406 104462->104406 104463->104410 104464->104412 104465->104415 104466->104454 104467->104454 104469->104453 104470->104459 104471->104461 104472->104448 104473->104461 104475 10007245 104474->104475 104476 10009769 DecodePointer TlsSetValue 104474->104476 104477 10009fe4 104475->104477 104476->104475 104479 10009fed 104477->104479 104480 10007251 104479->104480 104481 1000a00b Sleep 104479->104481 104505 1000e555 104479->104505 104480->104427 104483 1000990f 104480->104483 104482 1000a020 104481->104482 104482->104479 104482->104480 104516 10009896 GetLastError 104483->104516 104485 10009917 104487 1000725e 104485->104487 104530 10008315 66 API calls 3 library calls 104485->104530 104488 100097e2 104487->104488 104532 10009db0 104488->104532 104490 100097ee GetModuleHandleW 104533 1000c144 104490->104533 104492 1000982c InterlockedIncrement 104540 10009884 104492->104540 104495 1000c144 __lock 64 API calls 104496 1000984d 104495->104496 104543 1000de7f InterlockedIncrement 104496->104543 104498 1000986b 104555 1000988d 104498->104555 104500 10009878 _flsall 104500->104434 104501->104421 104502->104425 104503->104430 104504->104425 104506 1000e561 104505->104506 104510 1000e57c 104505->104510 104507 1000e56d 104506->104507 104506->104510 104514 1000710d 66 API calls __getptd_noexit 104507->104514 104509 1000e58f RtlAllocateHeap 104509->104510 104510->104509 104513 1000e5b6 104510->104513 104515 10008550 DecodePointer 104510->104515 104511 1000e572 104511->104479 104513->104479 104514->104511 104515->104510 104517 10009754 ___set_flsgetvalue 3 API calls 104516->104517 104518 100098ad 104517->104518 104519 10009903 SetLastError 104518->104519 104520 10009fe4 __calloc_crt 62 API calls 104518->104520 104519->104485 104521 100098c1 104520->104521 104521->104519 104522 100098c9 DecodePointer 104521->104522 104523 100098de 104522->104523 104524 100098e2 104523->104524 104525 100098fa 104523->104525 104527 100097e2 __CRT_INIT@12 62 API calls 104524->104527 104531 10006e49 66 API calls 2 library calls 104525->104531 104529 100098ea GetCurrentThreadId 104527->104529 104528 10009900 104528->104519 104529->104519 104531->104528 104532->104490 104534 1000c159 104533->104534 104535 1000c16c EnterCriticalSection 104533->104535 104558 1000c082 66 API calls 9 library calls 104534->104558 104535->104492 104537 1000c15f 104537->104535 104559 10008315 66 API calls 3 library calls 104537->104559 104560 1000c06b LeaveCriticalSection 104540->104560 104542 10009846 104542->104495 104544 1000dea0 104543->104544 104545 1000de9d InterlockedIncrement 104543->104545 104546 1000deaa InterlockedIncrement 104544->104546 104547 1000dead 104544->104547 104545->104544 104546->104547 104548 1000deb7 InterlockedIncrement 104547->104548 104549 1000deba 104547->104549 104548->104549 104550 1000dec4 InterlockedIncrement 104549->104550 104551 1000dec7 104549->104551 104550->104551 104552 1000dee0 InterlockedIncrement 104551->104552 104553 1000def0 InterlockedIncrement 104551->104553 104554 1000defb InterlockedIncrement 104551->104554 104552->104551 104553->104551 104554->104498 104561 1000c06b LeaveCriticalSection 104555->104561 104557 10009894 104557->104500 104558->104537 104560->104542 104561->104557 104563 10009754 ___set_flsgetvalue 3 API calls 104562->104563 104564 100071c1 104563->104564 104577 10009734 TlsGetValue 104564->104577 104567 100071d0 104628 10009788 DecodePointer 104567->104628 104568 100071fa 104579 10009929 104568->104579 104570 10007215 104615 10007175 104570->104615 104574 100071df 104575 100071f0 GetCurrentThreadId 104574->104575 104576 100071e3 GetLastError ExitThread 104574->104576 104575->104570 104578 100071cc 104577->104578 104578->104567 104578->104568 104580 10009935 _flsall 104579->104580 104583 1000994d 104580->104583 104612 10009a37 _flsall 104580->104612 104629 10006e49 66 API calls 2 library calls 104580->104629 104582 1000995b 104585 10009969 104582->104585 104631 10006e49 66 API calls 2 library calls 104582->104631 104583->104582 104630 10006e49 66 API calls 2 library calls 104583->104630 104587 10009977 104585->104587 104632 10006e49 66 API calls 2 library calls 104585->104632 104588 10009985 104587->104588 104633 10006e49 66 API calls 2 library calls 104587->104633 104591 10009993 104588->104591 104634 10006e49 66 API calls 2 library calls 104588->104634 104593 100099a1 104591->104593 104635 10006e49 66 API calls 2 library calls 104591->104635 104595 100099b2 104593->104595 104636 10006e49 66 API calls 2 library calls 104593->104636 104596 1000c144 __lock 66 API calls 104595->104596 104598 100099ba 104596->104598 104599 100099df 104598->104599 104600 100099c6 InterlockedDecrement 104598->104600 104638 10009a43 LeaveCriticalSection _doexit 104599->104638 104600->104599 104601 100099d1 104600->104601 104601->104599 104637 10006e49 66 API calls 2 library calls 104601->104637 104603 100099ec 104605 1000c144 __lock 66 API calls 104603->104605 104606 100099f3 104605->104606 104607 10009a24 104606->104607 104639 1000df0e 8 API calls 104606->104639 104641 10009a4f LeaveCriticalSection _doexit 104607->104641 104610 10009a31 104642 10006e49 66 API calls 2 library calls 104610->104642 104612->104570 104613 10009a08 104613->104607 104640 1000dfa7 66 API calls 4 library calls 104613->104640 104616 10007181 _flsall 104615->104616 104617 1000990f __getptd 66 API calls 104616->104617 104618 10007186 104617->104618 104643 10002fb0 104618->104643 104653 100030c0 104618->104653 104658 100052b0 104618->104658 104669 100052d9 104618->104669 104619 10007190 104680 10007156 104619->104680 104628->104574 104629->104583 104630->104582 104631->104585 104632->104587 104633->104588 104634->104591 104635->104593 104636->104595 104637->104599 104638->104603 104639->104613 104640->104607 104641->104610 104642->104612 104644 100067ff 77 API calls 104643->104644 104650 10002fd3 104644->104650 104645 10003014 select 104646 1000306d 104645->104646 104645->104650 104647 10006815 ___strgtold12_l 5 API calls 104646->104647 104649 10003098 104647->104649 104648 10003032 recv 104648->104650 104649->104619 104650->104645 104650->104646 104650->104648 104652 1000710d 66 API calls ___strgtold12_l 104650->104652 104686 10003350 104650->104686 104652->104650 104654 100030d4 104653->104654 104655 10003128 104653->104655 104654->104655 104656 100030e8 Sleep 104654->104656 104657 10003104 timeGetTime 104654->104657 104655->104619 104656->104654 104657->104654 104659 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 104658->104659 104665 100052cc 104658->104665 104660 100053ca 104659->104660 104661 1000543c 104659->104661 104664 10005403 OpenProcess 104660->104664 104667 1000542f Sleep 104660->104667 104768 10005820 104660->104768 104790 4090497 104661->104790 104664->104660 104666 10005415 GetExitCodeProcess 104664->104666 104665->104659 104666->104660 104667->104664 104670 100052d2 104669->104670 104671 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 104670->104671 104672 100053ca 104671->104672 104673 1000543c 104671->104673 104675 10005820 103 API calls 104672->104675 104676 10005403 OpenProcess 104672->104676 104678 1000542f Sleep 104672->104678 104679 4090497 578 API calls 104673->104679 104674 10005442 104674->104619 104675->104672 104676->104672 104677 10005415 GetExitCodeProcess 104676->104677 104677->104672 104678->104676 104679->104674 104681 10009896 __getptd_noexit 66 API calls 104680->104681 104682 10007160 104681->104682 104683 1000716b ExitThread 104682->104683 104984 10009a58 79 API calls __freefls@4 104682->104984 104685 1000716a 104685->104683 104687 10003366 104686->104687 104698 10001100 104687->104698 104689 100034e1 104689->104650 104690 100034c6 104691 100011b0 70 API calls 104690->104691 104692 100034d8 104691->104692 104692->104650 104693 10003403 timeGetTime 104706 100011b0 104693->104706 104695 10003378 _memmove 104695->104689 104695->104690 104695->104693 104696 100011b0 70 API calls 104695->104696 104715 100054c0 104695->104715 104696->104695 104699 10001111 104698->104699 104700 1000110b 104698->104700 104747 10006ba0 104699->104747 104700->104695 104702 10001134 VirtualAlloc 104703 1000116f 104702->104703 104704 10001198 104703->104704 104705 1000118a VirtualFree 104703->104705 104704->104695 104705->104704 104708 100011bd 104706->104708 104707 100011c6 104707->104695 104708->104707 104709 10006ba0 __floor_pentium4 68 API calls 104708->104709 104710 100011ee 104709->104710 104711 10001214 104710->104711 104712 1000121b VirtualAlloc 104710->104712 104711->104695 104713 10001236 104712->104713 104714 10001247 VirtualFree 104713->104714 104714->104695 104716 100054dc 104715->104716 104740 1000580d 104715->104740 104717 10005707 VirtualAlloc 104716->104717 104718 100054e7 RegOpenKeyExW 104716->104718 104719 10005745 104717->104719 104720 10005515 RegQueryValueExW 104718->104720 104726 100055ba 104718->104726 104723 100067ff 77 API calls 104719->104723 104721 1000553a 104720->104721 104722 100055ad RegCloseKey 104720->104722 104724 100067ff 77 API calls 104721->104724 104722->104726 104725 10005758 104723->104725 104727 10005540 _memset 104724->104727 104729 100056f8 104725->104729 104732 10005788 RegCreateKeyW 104725->104732 104728 100055f5 104726->104728 104726->104729 104731 1000554d RegQueryValueExW 104727->104731 104730 100055fe VirtualFree 104728->104730 104741 10005611 _memset 104728->104741 104733 1000721b 736 API calls 104729->104733 104730->104741 104734 10005569 VirtualAlloc 104731->104734 104735 100055aa 104731->104735 104737 100057a3 RegDeleteValueW RegSetValueExW 104732->104737 104738 100057ca RegCloseKey 104732->104738 104739 100057f3 Sleep 104733->104739 104736 100055a5 104734->104736 104735->104722 104736->104735 104737->104738 104738->104729 104765 10002d10 104739->104765 104740->104695 104742 100067ff 77 API calls 104741->104742 104744 100056b1 104742->104744 104743 100056e6 collate 104743->104695 104744->104743 104761 100060df 104744->104761 104748 10006bad 104747->104748 104749 10007d77 __ctrlfp __floor_pentium4 104747->104749 104748->104749 104750 10006bde 104748->104750 104751 10007de5 __floor_pentium4 104749->104751 104753 10007dc2 104749->104753 104755 10007dd2 __ctrlfp 104749->104755 104756 10006c28 104750->104756 104758 10007a9b 67 API calls ___strgtold12_l 104750->104758 104751->104755 104760 1000bc80 67 API calls 6 library calls 104751->104760 104759 1000bc2b 66 API calls 3 library calls 104753->104759 104755->104702 104756->104702 104758->104756 104759->104755 104760->104755 104762 100060e5 104761->104762 104763 100011b0 70 API calls 104762->104763 104764 1001fab1 GetCurrentThreadId 104763->104764 104766 10002d70 104765->104766 104767 10002d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 104765->104767 104766->104740 104767->104766 104769 1000584e _memset 104768->104769 104770 100058a2 GetSystemDirectoryA 104769->104770 104795 100059e0 95 API calls _vswprintf_s 104770->104795 104772 100058d6 GetFileAttributesA 104773 1000590b CreateProcessA 104772->104773 104774 100058eb 104772->104774 104776 10005940 VirtualAllocEx 104773->104776 104777 10005932 104773->104777 104796 100059e0 95 API calls _vswprintf_s 104774->104796 104780 1000595a WriteProcessMemory 104776->104780 104781 100059ac 104776->104781 104779 10006815 ___strgtold12_l 5 API calls 104777->104779 104778 10005908 104778->104773 104782 1000593c 104779->104782 104780->104781 104783 10005972 GetThreadContext 104780->104783 104784 10006815 ___strgtold12_l 5 API calls 104781->104784 104782->104660 104783->104781 104785 10005991 SetThreadContext 104783->104785 104786 100059b9 104784->104786 104785->104781 104787 100059bd ResumeThread 104785->104787 104786->104660 104788 10006815 ___strgtold12_l 5 API calls 104787->104788 104789 100059d7 104788->104789 104789->104660 104797 40900cd GetPEB 104790->104797 104792 40904a8 104794 40904e0 104792->104794 104799 40901cb 104792->104799 104794->104619 104795->104772 104796->104778 104798 40900e5 104797->104798 104798->104792 104800 40901df 104799->104800 104801 40901e6 104799->104801 104800->104794 104801->104800 104802 409021e VirtualAlloc 104801->104802 104802->104800 104803 4090238 104802->104803 104804 4090330 LoadLibraryA 104803->104804 104805 40903a3 104803->104805 104804->104800 104804->104803 104805->104800 104807 42211f2 104805->104807 104808 4221202 104807->104808 104809 42211fd 104807->104809 104813 42210fc 104808->104813 104825 4228262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 104809->104825 104812 4221210 104812->104800 104814 4221108 ___BuildCatchObject 104813->104814 104816 42211a5 ___BuildCatchObject 104814->104816 104820 4221155 104814->104820 104826 4220f98 104814->104826 104816->104812 104819 4221185 104819->104816 104822 4220f98 __CRT_INIT@12 149 API calls 104819->104822 104820->104816 104877 421e480 104820->104877 104821 421e480 ___DllMainCRTStartup 521 API calls 104823 422117c 104821->104823 104822->104816 104824 4220f98 __CRT_INIT@12 149 API calls 104823->104824 104824->104819 104825->104808 104827 4220fa4 ___BuildCatchObject 104826->104827 104828 4221026 104827->104828 104829 4220fac 104827->104829 104831 4221087 104828->104831 104832 422102c 104828->104832 104881 4221a1b HeapCreate 104829->104881 104833 42210e5 104831->104833 104834 422108c 104831->104834 104837 422104a 104832->104837 104843 4220fb5 ___BuildCatchObject 104832->104843 104906 4221ce6 66 API calls _doexit 104832->104906 104833->104843 104939 4223fa6 79 API calls __freefls@4 104833->104939 104911 4223ca0 TlsGetValue 104834->104911 104835 4220fb1 104835->104843 104900 4224014 86 API calls 4 library calls 104835->104900 104842 422105e 104837->104842 104907 4227dfb 67 API calls _free 104837->104907 104910 4221071 70 API calls __mtterm 104842->104910 104843->104820 104845 4220fc1 __RTC_Initialize 104849 4220fc5 104845->104849 104856 4220fd1 GetCommandLineA 104845->104856 104901 4221a39 HeapDestroy 104849->104901 104850 4221054 104908 4223cf1 70 API calls _free 104850->104908 104851 42210a9 DecodePointer 104857 42210be 104851->104857 104854 4220fca 104854->104843 104855 4221059 104909 4221a39 HeapDestroy 104855->104909 104882 422817f 71 API calls 2 library calls 104856->104882 104860 42210c2 104857->104860 104861 42210d9 104857->104861 104920 4223d2e 104860->104920 104933 421f639 104861->104933 104862 4220fe1 104883 4227bb6 73 API calls __calloc_crt 104862->104883 104866 4220feb 104868 4220fef 104866->104868 104903 42280c4 95 API calls 3 library calls 104866->104903 104867 42210c9 GetCurrentThreadId 104867->104843 104902 4223cf1 70 API calls _free 104868->104902 104871 4220ffb 104872 422100f 104871->104872 104884 4227e4e 104871->104884 104872->104854 104905 4227dfb 67 API calls _free 104872->104905 104878 421e489 104877->104878 104879 421e4af 104877->104879 104878->104879 104880 421e491 CreateThread WaitForSingleObject 104878->104880 104879->104819 104879->104821 104880->104879 104940 421df10 104880->104940 104881->104835 104882->104862 104883->104866 104885 4227e57 104884->104885 104888 4227e5c _strlen 104884->104888 104887 4224d28 ___initmbctable 94 API calls 104885->104887 104886 4221004 104886->104872 104904 4221af9 77 API calls 4 library calls 104886->104904 104887->104888 104888->104886 104889 4224534 __calloc_crt 66 API calls 104888->104889 104891 4227e91 _strlen 104889->104891 104890 4227ee0 104892 421f639 _free 66 API calls 104890->104892 104891->104886 104891->104890 104893 4224534 __calloc_crt 66 API calls 104891->104893 104894 4227f06 104891->104894 104895 4221928 _strcpy_s 66 API calls 104891->104895 104897 4227f1d 104891->104897 104892->104886 104893->104891 104896 421f639 _free 66 API calls 104894->104896 104895->104891 104896->104886 104898 4222090 __invoke_watson 10 API calls 104897->104898 104899 4227f29 104898->104899 104900->104845 104901->104854 104902->104849 104903->104871 104904->104872 104905->104868 104906->104837 104907->104850 104908->104855 104909->104842 104910->104843 104912 4221091 104911->104912 104913 4223cb5 DecodePointer TlsSetValue 104911->104913 104914 4224534 104912->104914 104913->104912 104916 422453d 104914->104916 104915 422a6f2 __calloc_crt 65 API calls 104915->104916 104916->104915 104917 422109d 104916->104917 104918 422455b Sleep 104916->104918 104917->104843 104917->104851 104919 4224570 104918->104919 104919->104916 104919->104917 104921 4224300 ___BuildCatchObject 104920->104921 104922 4223d3a GetModuleHandleW 104921->104922 104923 4228e5b __lock 64 API calls 104922->104923 104924 4223d78 InterlockedIncrement 104923->104924 104925 4223dd0 __CRT_INIT@12 LeaveCriticalSection 104924->104925 104926 4223d92 104925->104926 104927 4228e5b __lock 64 API calls 104926->104927 104928 4223d99 104927->104928 104929 4224d46 ___addlocaleref 8 API calls 104928->104929 104930 4223db7 104929->104930 104931 4223dd9 __CRT_INIT@12 LeaveCriticalSection 104930->104931 104932 4223dc4 ___BuildCatchObject 104931->104932 104932->104867 104934 421f66d __dosmaperr 104933->104934 104935 421f644 RtlFreeHeap 104933->104935 104934->104843 104935->104934 104936 421f659 104935->104936 104937 421f91b __controlfp_s 64 API calls 104936->104937 104938 421f65f GetLastError 104937->104938 104938->104934 104939->104843 104941 4220542 67 API calls 104940->104941 104942 421df5a Sleep 104941->104942 104943 421df74 104942->104943 104944 421df97 104942->104944 104945 421f707 77 API calls 104943->104945 104946 421dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 104944->104946 104947 421df9f 104944->104947 104949 421df7b 104945->104949 104948 421fa29 284 API calls 104946->104948 104950 4217620 14 API calls 104947->104950 104951 421e003 CloseHandle 104948->104951 104952 421fa29 284 API calls 104949->104952 104950->104946 104953 421f707 77 API calls 104951->104953 104954 421df8d CloseHandle 104952->104954 104955 421e014 104953->104955 104954->104944 104956 421e022 104955->104956 104957 4212c90 8 API calls 104955->104957 104958 421f707 77 API calls 104956->104958 104957->104956 104959 421e036 104958->104959 104960 4219730 80 API calls 104959->104960 104965 421e04e 104959->104965 104960->104965 104961 421f876 66 API calls __NMSG_WRITE 104961->104965 104962 421e189 EnumWindows 104964 421e1a5 Sleep EnumWindows 104962->104964 104962->104965 104963 4220542 67 API calls 104963->104965 104964->104964 104964->104965 104965->104961 104965->104962 104965->104963 104966 421e1f0 Sleep 104965->104966 104967 421e239 CreateEventA 104965->104967 104983 4212da0 301 API calls 104965->104983 104966->104965 104968 421f876 __NMSG_WRITE 66 API calls 104967->104968 104973 421e281 104968->104973 104969 421ca70 113 API calls 104969->104973 104970 421e2bf Sleep RegOpenKeyExW 104971 421e2f5 RegQueryValueExW 104970->104971 104970->104973 104971->104973 104972 4215430 268 API calls 104972->104973 104973->104969 104973->104970 104973->104972 104977 421e339 104973->104977 104974 421e345 CloseHandle 104974->104965 104975 421fa29 284 API calls 104975->104977 104976 421e39f Sleep 104976->104977 104977->104974 104977->104975 104977->104976 104978 421e422 WaitForSingleObject CloseHandle 104977->104978 104979 4220542 67 API calls 104977->104979 104980 421e3dd Sleep CloseHandle 104977->104980 104981 421e3cd WaitForSingleObject CloseHandle 104977->104981 104978->104977 104982 421e43c Sleep CloseHandle 104979->104982 104980->104965 104981->104980 104982->104965 104983->104965 104984->104685 104985->104442 104986 10003200 Sleep 104987 10020254 104986->104987 106945 100032e0 6 API calls 106946 210e0 106947 210ec ___scrt_is_nonwritable_in_current_image 106946->106947 106970 212dc IsProcessorFeaturePresent ___scrt_uninitialize_crt 106947->106970 106949 210f3 106950 21246 106949->106950 106953 2111d 106949->106953 106985 215d0 6 API calls 106950->106985 106952 2124d exit 106954 21253 _exit 106952->106954 106955 21121 _initterm_e 106953->106955 106958 2116a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 106953->106958 106956 2113c 106955->106956 106957 2114d _initterm 106955->106957 106957->106958 106959 211be 106958->106959 106962 211b6 _register_thread_local_exe_atexit_callback 106958->106962 106971 216eb memset GetStartupInfoW 106959->106971 106961 211c3 _get_narrow_winmain_command_line 106972 21c50 GetCommandLineW CommandLineToArgvW 106961->106972 106962->106959 106964 211d8 106984 21721 GetModuleHandleW 106964->106984 106966 211df 106966->106952 106967 211e3 106966->106967 106968 211e7 _cexit 106967->106968 106969 211ec ___scrt_uninitialize_crt 106967->106969 106968->106969 106969->106956 106970->106949 106971->106961 106973 21c82 106972->106973 106974 21c78 106972->106974 106986 21d6f 106973->106986 106974->106964 106976 21ca0 106977 21d1c LocalFree 106976->106977 106979 21cc1 WideCharToMultiByte 106976->106979 106996 21000 TCGamerUpdateMain 106977->106996 106980 21d6f 4 API calls 106979->106980 106981 21ce1 WideCharToMultiByte 106980->106981 106981->106979 106982 21d14 106981->106982 106982->106977 106983 21d35 106983->106964 106984->106966 106985->106952 106987 21d7d 106986->106987 106988 21d8f malloc 106987->106988 106989 21d82 _callnewh 106988->106989 106990 21d9c 106988->106990 106989->106988 106992 21d9e 106989->106992 106990->106976 106991 21e9f 106993 21ead _CxxThrowException 106991->106993 106992->106991 106994 21e90 _CxxThrowException 106992->106994 106995 21ec3 106993->106995 106994->106991 106995->106976 106996->106983 106997 6bd35477 106998 6bd35482 106997->106998 107014 6bd33d20 106998->107014 107000 6bd354ac 107045 6bd34470 107000->107045 107003 6bd35495 107003->107000 107009 6bd354e2 Sleep 107003->107009 107018 6bd33ef0 107003->107018 107036 6bd34c70 107003->107036 107041 6bd34de0 107003->107041 107009->107003 107010 6bd34470 36 API calls 107011 6bd35540 107010->107011 107062 6bd355e0 24 API calls 107011->107062 107013 6bd3554d 107015 6bd33d86 107014->107015 107063 6bd33e80 107015->107063 107022 6bd33f19 107018->107022 107019 6bd33f76 107021 6bd34470 36 API calls 107019->107021 107020 6bd34470 36 API calls 107020->107022 107035 6bd33f91 107021->107035 107022->107019 107022->107020 107023 6bd33fc8 107024 6bd343eb 107023->107024 107026 6bd34470 36 API calls 107023->107026 107027 6bd34470 36 API calls 107024->107027 107025 6bd34470 36 API calls 107025->107035 107026->107023 107028 6bd34406 107027->107028 107029 6bd34470 36 API calls 107028->107029 107030 6bd34424 107029->107030 107031 6bd349e0 77 API calls 107030->107031 107032 6bd34444 107031->107032 107033 6bd34470 36 API calls 107032->107033 107034 6bd34465 107033->107034 107034->107003 107035->107023 107035->107025 107071 6beb10d7 107036->107071 107039 6bd34c92 107039->107003 107042 6bd34e2f 107041->107042 107043 6bd33e80 27 API calls 107042->107043 107044 6bd350b6 107042->107044 107043->107044 107044->107003 107046 6bd344c0 107045->107046 107047 6bd369d0 36 API calls 107046->107047 107052 6bd34561 107047->107052 107048 6bd36d50 36 API calls 107049 6bd347f9 107048->107049 107050 6bd36dc0 36 API calls 107049->107050 107051 6bd3480f 107050->107051 107053 6bd349e0 107051->107053 107052->107048 107054 6bd369d0 36 API calls 107053->107054 107055 6bd34a2d 107054->107055 107061 6bd34a40 std::ios_base::_Ios_base_dtor 107055->107061 107111 6bd398c0 107055->107111 107056 6bd36d50 36 API calls 107058 6bd34bad 107056->107058 107059 6bd36dc0 36 API calls 107058->107059 107060 6bd34bbd 107059->107060 107060->107010 107061->107056 107062->107013 107066 6bd359f0 107063->107066 107065 6bd33df9 107065->107003 107067 6bd35a71 107066->107067 107069 6bd35a4a 107066->107069 107070 6bd35b50 27 API calls 107067->107070 107069->107065 107070->107069 107072 6beb10e3 ___scrt_is_nonwritable_in_current_image 107071->107072 107080 6beb206c EnterCriticalSection 107072->107080 107074 6beb10ea 107081 6beb1395 107074->107081 107079 6beb1127 17 API calls 2 library calls 107079->107039 107080->107074 107082 6beb13b3 107081->107082 107084 6beb13c2 107082->107084 107105 6bebfa06 CreateFileW ___initconin 107082->107105 107098 6bd7f107 107084->107098 107085 6beb13cf 107085->107084 107106 6bebfa77 5 API calls ___initconin 107085->107106 107088 6beb10f8 107095 6beb111e 107088->107095 107089 6beb13e0 107089->107084 107090 6beb8f91 __fread_nolock 3 API calls 107089->107090 107092 6beb140d __DllMainCRTStartup@12 107089->107092 107094 6beb144a 107089->107094 107090->107092 107092->107094 107107 6bebfabd 5 API calls ___initconin 107092->107107 107108 6bda800c RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 107094->107108 107110 6beb2083 LeaveCriticalSection 107095->107110 107097 6bd34c7e 107097->107039 107097->107079 107099 6bd7f110 IsProcessorFeaturePresent 107098->107099 107100 6bd7f10f 107098->107100 107102 6bdd8160 107099->107102 107100->107088 107109 6bdd8246 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 107102->107109 107104 6bdd8243 107104->107088 107105->107085 107106->107089 107107->107094 107108->107084 107109->107104 107110->107097 107112 6bd7bd4e std::_Lockit::_Lockit 7 API calls 107111->107112 107113 6bd39902 107112->107113 107114 6bd39c00 9 API calls 107113->107114 107115 6bd39917 107114->107115 107123 6bd39955 107115->107123 107124 6bd39dc0 107115->107124 107116 6bd7bd7f std::_Lockit::~_Lockit 2 API calls 107118 6bd399fe 107116->107118 107118->107061 107120 6bd3998b 107133 6bd7bf2c RaiseException Concurrency::cancel_current_task ___std_exception_copy 107120->107133 107123->107116 107125 6bd39dff 107124->107125 107131 6bd39972 107124->107131 107126 6bd5ffd7 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 107125->107126 107125->107131 107127 6bd39e18 107126->107127 107134 6bd3a060 107127->107134 107129 6bd39e3c 107145 6bd3a290 70 API calls 2 library calls 107129->107145 107131->107120 107132 6bd39ef0 RaiseException Concurrency::cancel_current_task 107131->107132 107133->107123 107135 6bd7bd4e std::_Lockit::_Lockit 7 API calls 107134->107135 107136 6bd3a0a9 107135->107136 107137 6bd3a10a 107136->107137 107138 6bd3a13f 107136->107138 107146 6bd7bfae 107137->107146 107155 6bd7c3d2 25 API calls 2 library calls 107138->107155 107142 6bd3a153 107156 6bd3a3f0 RtlFreeHeap GetLastError 107142->107156 107144 6bd3a16f 107144->107129 107145->107131 107157 6beb5e57 107146->107157 107155->107142 107156->107144 107162 6bebb4c6 107157->107162 107183 6bebb64d 5 API calls std::_Locinfo::_Locinfo_dtor 107162->107183 107164 6bebb4cb 107184 6bebb667 5 API calls std::_Locinfo::_Locinfo_dtor 107164->107184 107166 6bebb4d0 107185 6bebb681 5 API calls std::_Locinfo::_Locinfo_dtor 107166->107185 107168 6bebb4d5 107186 6bebb69b 5 API calls std::_Locinfo::_Locinfo_dtor 107168->107186 107170 6bebb4da 107187 6bebb6b5 5 API calls std::_Locinfo::_Locinfo_dtor 107170->107187 107172 6bebb4df 107188 6bebb6cf 5 API calls std::_Locinfo::_Locinfo_dtor 107172->107188 107174 6bebb4e4 107189 6bebb6e9 5 API calls std::_Locinfo::_Locinfo_dtor 107174->107189 107176 6bebb4e9 107190 6bebb703 5 API calls std::_Locinfo::_Locinfo_dtor 107176->107190 107178 6bebb4ee 107191 6bebb71d 5 API calls std::_Locinfo::_Locinfo_dtor 107178->107191 107180 6bebb4f3 107192 6bebb737 5 API calls std::_Locinfo::_Locinfo_dtor 107180->107192 107182 6bebb4f8 107182->107182 107183->107164 107184->107166 107185->107168 107186->107170 107187->107172 107188->107174 107189->107176 107190->107178 107191->107180 107192->107182 104988 6bebcaed 104989 6bebcaf6 104988->104989 104993 6bebcb28 104988->104993 104994 6beb929e 104989->104994 104991 6bebcb19 105022 6bebceae 104991->105022 104995 6beb92a9 104994->104995 104996 6beb92af 104994->104996 105042 6bebb10b 6 API calls std::_Locinfo::_Locinfo_dtor 104995->105042 105018 6beb92b5 104996->105018 105043 6bebb14a 6 API calls std::_Locinfo::_Locinfo_dtor 104996->105043 105000 6beb92c9 105002 6beb92e1 105000->105002 105003 6beb92f6 105000->105003 105000->105018 105001 6beb9333 GetLastError 105007 6beb934a 105001->105007 105008 6beb9350 105001->105008 105044 6bebb14a 6 API calls std::_Locinfo::_Locinfo_dtor 105002->105044 105049 6bebb14a 6 API calls std::_Locinfo::_Locinfo_dtor 105003->105049 105052 6bebb10b 6 API calls std::_Locinfo::_Locinfo_dtor 105007->105052 105014 6beb9354 SetLastError 105008->105014 105053 6bebb14a 6 API calls std::_Locinfo::_Locinfo_dtor 105008->105053 105011 6beb9302 105012 6beb9306 105011->105012 105017 6beb9315 105011->105017 105050 6bebb14a 6 API calls std::_Locinfo::_Locinfo_dtor 105012->105050 105014->104991 105020 6beb8f57 ___free_lconv_mon 2 API calls 105017->105020 105021 6beb92ba 105018->105021 105051 6beb4151 45 API calls CallUnexpected 105018->105051 105019 6beb92ed 105045 6beb8f57 105019->105045 105020->105021 105021->104991 105023 6bebced8 105022->105023 105054 6bebcd3a 105023->105054 105026 6bebcef1 105026->104993 105028 6bebcf02 105029 6bebcf0a 105028->105029 105030 6bebcf18 105028->105030 105031 6beb8f57 ___free_lconv_mon 2 API calls 105029->105031 105066 6bebcb35 54 API calls 3 library calls 105030->105066 105031->105026 105033 6bebcf45 105034 6bebcf50 105033->105034 105036 6bebcf6b __DllMainCRTStartup@12 105033->105036 105035 6beb8f57 ___free_lconv_mon 2 API calls 105034->105035 105035->105026 105038 6beb8f57 ___free_lconv_mon 2 API calls 105036->105038 105040 6bebcf97 105036->105040 105037 6beb8f57 ___free_lconv_mon 2 API calls 105037->105026 105038->105040 105041 6bebcfe0 105040->105041 105067 6bebd269 26 API calls 3 library calls 105040->105067 105041->105037 105042->104996 105043->105000 105044->105019 105046 6beb8f62 RtlFreeHeap 105045->105046 105048 6beb8f84 __dosmaperr 105045->105048 105047 6beb8f77 GetLastError 105046->105047 105046->105048 105047->105048 105048->105018 105049->105011 105050->105019 105051->105001 105052->105008 105053->105014 105068 6bea45a8 105054->105068 105056 6bebcd4c 105057 6bebcd5b GetOEMCP 105056->105057 105058 6bebcd6d 105056->105058 105059 6bebcd84 105057->105059 105058->105059 105060 6bebcd72 GetACP 105058->105060 105059->105026 105061 6beb8f91 105059->105061 105060->105059 105062 6beb8fcd 105061->105062 105064 6beb8f9f __fread_nolock 105061->105064 105062->105028 105063 6beb8fba RtlAllocateHeap 105063->105062 105063->105064 105064->105062 105064->105063 105073 6beaf2bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 105064->105073 105066->105033 105067->105041 105069 6bea45bf __wsopen_s 105068->105069 105070 6bea45c6 105068->105070 105069->105056 105070->105069 105072 6beb97f2 45 API calls __Getctype 105070->105072 105072->105069 105073->105064 107193 1001f927 107194 1001fb9a 107193->107194 107198 100060df 71 API calls 107194->107198 107199 10005ef8 107194->107199 107203 1001f997 107194->107203 107195 1001fb9c 107198->107195 107200 10005f68 107199->107200 107201 10001100 70 API calls 107200->107201 107202 1001f2fd 107200->107202 107201->107202 107204 10005f68 107203->107204 107205 1001f2fd 107204->107205 107206 10001100 70 API calls 107204->107206 107206->107205 107207 6bd76a7f 107208 6bd76a83 107207->107208 107209 6bd76a99 107207->107209 107208->107209 107211 6bd852dd 7 API calls 3 library calls 107208->107211 107211->107209 107212 6bd5f5ff 107217 6bd7db5b 107212->107217 107214 6bd5f609 107215 6bd6012b 29 API calls 107214->107215 107216 6bd5f613 107215->107216 107218 6bd7db67 __EH_prolog3 107217->107218 107221 6bd7deb7 107218->107221 107220 6bd7dd50 Concurrency::details::ExternalContextBase::~ExternalContextBase 107220->107214 107222 6bd7ded8 std::bad_exception::bad_exception 107221->107222 107231 6bd7df5f 107221->107231 107225 6bd7df08 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 107222->107225 107223 6bd7f107 _ValidateLocalCookies 5 API calls 107224 6bd7df72 107223->107224 107224->107220 107232 6bd7df74 107225->107232 107227 6bd7df51 107309 6bd7e392 107227->107309 107231->107223 107395 6bd7f115 107232->107395 107234 6bd7df80 GetSysColor 107235 6bd7df95 GetSysColor 107234->107235 107236 6bd7dfa1 GetSysColor 107234->107236 107235->107236 107238 6bd7dfc4 107236->107238 107239 6bd7dfb8 GetSysColor 107236->107239 107396 6bd63a38 107238->107396 107239->107238 107241 6bd7dfda 22 API calls 107242 6bd7e104 107241->107242 107243 6bd7e10d GetSysColor 107241->107243 107244 6bd7e11f GetSysColorBrush 107242->107244 107243->107244 107245 6bd7e38c 107244->107245 107246 6bd7e13b GetSysColorBrush 107244->107246 107436 6bd7733a RaiseException Concurrency::cancel_current_task 107245->107436 107246->107245 107247 6bd7e14e GetSysColorBrush 107246->107247 107247->107245 107249 6bd7e161 107247->107249 107404 6bd62d5a 107249->107404 107252 6bd7e16e CreateSolidBrush 107409 6bd62d04 107252->107409 107255 6bd62d5a 4 API calls 107256 6bd7e18c CreateSolidBrush 107255->107256 107257 6bd62d04 3 API calls 107256->107257 107258 6bd7e19d 107257->107258 107259 6bd62d5a 4 API calls 107258->107259 107260 6bd7e1aa CreateSolidBrush 107259->107260 107261 6bd62d04 3 API calls 107260->107261 107262 6bd7e1bb 107261->107262 107263 6bd62d5a 4 API calls 107262->107263 107264 6bd7e1c8 CreateSolidBrush 107263->107264 107265 6bd62d04 3 API calls 107264->107265 107266 6bd7e1dc 107265->107266 107267 6bd62d5a 4 API calls 107266->107267 107268 6bd7e1e9 CreateSolidBrush 107267->107268 107269 6bd62d04 3 API calls 107268->107269 107270 6bd7e1fa 107269->107270 107271 6bd62d5a 4 API calls 107270->107271 107272 6bd7e207 CreateSolidBrush 107271->107272 107273 6bd62d04 3 API calls 107272->107273 107274 6bd7e218 107273->107274 107275 6bd62d5a 4 API calls 107274->107275 107276 6bd7e225 CreateSolidBrush 107275->107276 107277 6bd62d04 3 API calls 107276->107277 107278 6bd7e236 107277->107278 107279 6bd62d5a 4 API calls 107278->107279 107280 6bd7e243 CreatePen 107279->107280 107281 6bd62d04 3 API calls 107280->107281 107282 6bd7e25c 107281->107282 107283 6bd62d5a 4 API calls 107282->107283 107284 6bd7e269 CreatePen 107283->107284 107285 6bd62d04 3 API calls 107284->107285 107286 6bd7e280 107285->107286 107287 6bd62d5a 4 API calls 107286->107287 107288 6bd7e28d CreatePen 107287->107288 107289 6bd62d04 3 API calls 107288->107289 107290 6bd7e2a4 107289->107290 107291 6bd7e2bb 107290->107291 107296 6bd62d5a 4 API calls 107290->107296 107292 6bd7e2c4 CreateSolidBrush 107291->107292 107293 6bd7e328 107291->107293 107294 6bd62d04 3 API calls 107292->107294 107432 6bd7ef42 7 API calls 2 library calls 107293->107432 107297 6bd7e326 107294->107297 107296->107291 107415 6bdb1ab9 107297->107415 107298 6bd7e332 107298->107245 107299 6bd7e336 107298->107299 107300 6bd62d04 3 API calls 107299->107300 107302 6bd7e34f CreatePatternBrush 107300->107302 107304 6bd62d04 3 API calls 107302->107304 107306 6bd7e360 107304->107306 107433 6bd5d1f0 107306->107433 107307 6bd7e386 Concurrency::details::ExternalContextBase::~ExternalContextBase 107307->107227 107310 6bd7e3a1 __EH_prolog3_GS 107309->107310 107311 6bd63a38 4 API calls 107310->107311 107312 6bd7e3b0 GetDeviceCaps 107311->107312 107313 6bd7e3ea 107312->107313 107314 6bd7e41e 107313->107314 107317 6bd62d30 3 API calls 107313->107317 107315 6bd7e43c 107314->107315 107320 6bd62d30 3 API calls 107314->107320 107316 6bd7e45a 107315->107316 107321 6bd62d30 3 API calls 107315->107321 107318 6bd7e478 107316->107318 107325 6bd62d30 3 API calls 107316->107325 107319 6bd7e417 DeleteObject 107317->107319 107322 6bd7e496 107318->107322 107329 6bd62d30 3 API calls 107318->107329 107319->107314 107323 6bd7e435 DeleteObject 107320->107323 107324 6bd7e453 DeleteObject 107321->107324 107326 6bd7e4b4 107322->107326 107330 6bd62d30 3 API calls 107322->107330 107323->107315 107324->107316 107328 6bd7e471 DeleteObject 107325->107328 107327 6bd7e4d2 107326->107327 107334 6bd62d30 3 API calls 107326->107334 107331 6bd7e4f0 107327->107331 107338 6bd62d30 3 API calls 107327->107338 107328->107318 107332 6bd7e48f DeleteObject 107329->107332 107333 6bd7e4ad DeleteObject 107330->107333 107335 6bd7e50e 107331->107335 107339 6bd62d30 3 API calls 107331->107339 107332->107322 107333->107326 107337 6bd7e4cb DeleteObject 107334->107337 107336 6bd7e52c 107335->107336 107343 6bd62d30 3 API calls 107335->107343 107468 6bd7ee43 107336->107468 107337->107327 107341 6bd7e4e9 DeleteObject 107338->107341 107342 6bd7e507 DeleteObject 107339->107342 107341->107331 107342->107335 107345 6bd7e525 DeleteObject 107343->107345 107344 6bd7e544 std::bad_exception::bad_exception 107346 6bd7e551 GetTextCharsetInfo 107344->107346 107345->107336 107347 6bd7e58b lstrcpyW 107346->107347 107349 6bd7e5bf 107347->107349 107350 6bd7e62b CreateFontIndirectW 107347->107350 107349->107350 107351 6bd7e5c8 EnumFontFamiliesW 107349->107351 107352 6bd62d04 3 API calls 107350->107352 107353 6bd7e5e4 lstrcpyW 107351->107353 107354 6bd7e5f9 EnumFontFamiliesW 107351->107354 107358 6bd7e63d 107352->107358 107353->107350 107355 6bd7e618 lstrcpyW 107354->107355 107355->107350 107357 6bd7e673 CreateFontIndirectW 107359 6bd62d04 3 API calls 107357->107359 107358->107357 107360 6bd7e685 107359->107360 107361 6bd7ee43 SystemParametersInfoW 107360->107361 107362 6bd7e6a0 CreateFontIndirectW 107361->107362 107363 6bd62d04 3 API calls 107362->107363 107364 6bd7e6c8 CreateFontIndirectW 107363->107364 107365 6bd62d04 3 API calls 107364->107365 107366 6bd7e6f4 CreateFontIndirectW 107365->107366 107367 6bd62d04 3 API calls 107366->107367 107368 6bd7e715 GetSystemMetrics lstrcpyW CreateFontIndirectW 107367->107368 107369 6bd62d04 3 API calls 107368->107369 107370 6bd7e751 GetStockObject 107369->107370 107371 6bd7e77f GetObjectW 107370->107371 107372 6bd7e849 107370->107372 107371->107372 107374 6bd7e794 lstrcpyW CreateFontIndirectW 107371->107374 107471 6bd7ee84 107372->107471 107375 6bd62d04 3 API calls 107374->107375 107376 6bd7e7e3 CreateFontIndirectW 107375->107376 107377 6bd62d04 3 API calls 107376->107377 107382 6bd7e7fc GetObjectW CreateFontIndirectW 107377->107382 107383 6bd62d04 3 API calls 107382->107383 107387 6bd7e828 CreateFontIndirectW 107383->107387 107390 6bd62d04 3 API calls 107387->107390 107390->107372 107395->107234 107397 6bd63a44 __EH_prolog3 107396->107397 107398 6bd63a67 GetWindowDC 107397->107398 107437 6bd62ee6 107398->107437 107401 6bd63a7d Concurrency::details::ExternalContextBase::~ExternalContextBase 107401->107241 107405 6bd62d63 107404->107405 107406 6bd62d60 107404->107406 107446 6bd62d30 107405->107446 107406->107252 107408 6bd62d68 DeleteObject 107408->107252 107410 6bd62d11 107409->107410 107411 6bd62d26 107409->107411 107451 6bd63c00 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 107410->107451 107411->107255 107413 6bd62d1b 107452 6bd80122 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 107413->107452 107416 6bdb1ac2 107415->107416 107426 6bd7e374 107415->107426 107416->107426 107453 6bde22d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107416->107453 107418 6bdb1ad5 107454 6bde22d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107418->107454 107420 6bdb1adf 107455 6bde22d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107420->107455 107422 6bdb1ae9 107456 6bde22d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107422->107456 107424 6bdb1af3 107457 6bde22d2 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107424->107457 107427 6bd63a8d 107426->107427 107458 6bd62f28 107427->107458 107429 6bd63abd ReleaseDC 107462 6bd637da 107429->107462 107432->107298 107434 6bd62d5a 4 API calls 107433->107434 107435 6bd5d240 107434->107435 107435->107297 107438 6bd62ef3 107437->107438 107442 6bd62f09 107437->107442 107444 6bd63b8f RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 107438->107444 107440 6bd62efe 107445 6bd80122 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 107440->107445 107442->107401 107443 6bd6268b RaiseException Concurrency::cancel_current_task 107442->107443 107444->107440 107445->107442 107447 6bd62d3b 107446->107447 107449 6bd62d42 107446->107449 107450 6bd63c00 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 107447->107450 107449->107408 107450->107449 107451->107413 107452->107411 107453->107418 107454->107420 107455->107422 107456->107424 107457->107426 107459 6bd62f34 107458->107459 107460 6bd62f3b 107458->107460 107467 6bd63b8f RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 107459->107467 107460->107429 107463 6bd63814 107462->107463 107464 6bd63808 107462->107464 107463->107307 107465 6bd62f28 3 API calls 107464->107465 107466 6bd6380d DeleteDC 107465->107466 107466->107463 107467->107460 107469 6bd7ee52 107468->107469 107470 6bd7ee58 SystemParametersInfoW 107468->107470 107469->107470 107470->107344 107472 6bd7ee90 __EH_prolog3_GS 107471->107472 107473 6bd63a38 4 API calls 107472->107473 107474 6bd7ee9c 107473->107474 107494 6bd63083 107474->107494 107495 6bd6309a SelectObject 107494->107495 107496 6bd630a9 107494->107496 107495->107496 107497 6bd630bf 107496->107497 107499 6bd630b5 SelectObject 107496->107499 107503 6bd62cf2 107497->107503 107499->107497 107506 6bd63c00 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 107503->107506 107505 6bd62cfc 107506->107505 105074 1000638b 105075 10001100 70 API calls 105074->105075 105076 10006390 105075->105076 105077 1000474c lstrlenW 105078 1001fff8 105077->105078 107507 6bd85234 107508 6bd8524d 107507->107508 107509 6bd8523d 107507->107509 107513 6bd8529f 107508->107513 107519 6bd84e9d EnterCriticalSection 107508->107519 107538 6bd84e5d TlsAlloc InitializeCriticalSection RaiseException 107509->107538 107512 6bd85261 107512->107513 107514 6bd85267 107512->107514 107540 6bd7733a RaiseException Concurrency::cancel_current_task 107513->107540 107539 6bd85196 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 107514->107539 107518 6bd85273 Concurrency::details::ExternalContextBase::~ExternalContextBase 107524 6bd84ec1 107519->107524 107520 6bd84fd4 LeaveCriticalSection 107541 6bd77306 RaiseException Concurrency::cancel_current_task 107520->107541 107522 6bd84f71 std::bad_exception::bad_exception 107525 6bd84fa1 LeaveCriticalSection 107522->107525 107524->107520 107524->107522 107526 6bd84f28 GlobalHandle 107524->107526 107527 6bd84f13 107524->107527 107525->107512 107528 6bd84f3b GlobalUnlock 107526->107528 107529 6bd84fbc 107526->107529 107531 6bd84f1b GlobalAlloc 107527->107531 107532 6bd76d62 107528->107532 107529->107520 107533 6bd84fc1 GlobalHandle 107529->107533 107534 6bd84f5d 107531->107534 107535 6bd84f51 GlobalReAlloc 107532->107535 107533->107520 107536 6bd84fcd GlobalLock 107533->107536 107534->107529 107537 6bd84f61 GlobalLock 107534->107537 107535->107534 107536->107520 107537->107520 107537->107522 107538->107508 107539->107518 107542 6bebfb9b CreateFileW 105079 6bd5a507 105130 6bd59fe0 GetModuleFileNameA 105079->105130 105083 6bd5a548 105143 6bd58ac0 105083->105143 105087 6bd5a573 105088 6bd386c0 24 API calls 105087->105088 105089 6bd5a57b 105088->105089 105092 6bd5a598 105089->105092 105169 6bd592d0 105089->105169 105094 6bd5a696 CreateThread 105092->105094 105193 6bd59a80 105092->105193 105096 6bd5a6e5 WaitForSingleObject 105094->105096 105097 6bd5a73f 105094->105097 106236 6bd59520 Sleep 105094->106236 105096->105097 105100 6bd5a70a 105096->105100 105228 6bd5a1c0 GetModuleFileNameA 105097->105228 105099 6bd5a64e 105106 6bd5a65e CreateThread 105099->105106 105107 6bd386c0 24 API calls 105100->105107 105106->105094 106237 6bd59950 105106->106237 105110 6bd5a726 105107->105110 105117 6bd5a7dd 105119 6bd386c0 24 API calls 105117->105119 105120 6bd5a7ed 105119->105120 105251 6bd593b0 GetModuleHandleA 105120->105251 105122 6bd5a829 CreateThread 105259 6bd57ee0 WSAStartup 105122->105259 106250 6bd52170 105122->106250 105131 6bd37a70 27 API calls 105130->105131 105132 6bd5a059 105131->105132 105133 6bd5a0d0 105132->105133 105134 6bd5a08c 105132->105134 105136 6bd37a70 27 API calls 105133->105136 105296 6bd57e80 27 API calls 105134->105296 105137 6bd5a0b9 105136->105137 105138 6bd386c0 24 API calls 105137->105138 105139 6bd5a107 105138->105139 105140 6bd45700 105139->105140 105297 6bd38a30 105140->105297 105142 6bd45748 105142->105083 105306 6bd459d0 105143->105306 105145 6bd58b3b 105146 6bd58b7c 105145->105146 105147 6bd58b4e 105145->105147 105310 6bd58d10 105146->105310 105148 6bd37a70 27 API calls 105147->105148 105165 6bd58b68 105148->105165 105151 6bd58b95 105315 6bd58e90 105151->105315 105152 6bd58caf 105166 6bd386c0 105152->105166 105154 6bd58bc9 105325 6bd3c140 105154->105325 105156 6bd58be7 105329 6bd590a0 105156->105329 105158 6bd58c2c 105159 6bd58c51 105158->105159 105160 6bd58c4c 105158->105160 105161 6bd37a70 27 API calls 105159->105161 105336 6bd45ad0 105160->105336 105164 6bd58c61 105161->105164 105163 6bd386c0 24 API calls 105163->105165 105164->105163 105341 6bd45da0 105165->105341 105957 6bd395b0 105166->105957 105168 6bd386d4 105168->105087 105170 6bd37a70 27 API calls 105169->105170 105171 6bd59330 105170->105171 105962 6bd41000 105171->105962 105194 6bd37a70 27 API calls 105193->105194 105195 6bd59aeb 105194->105195 106177 6bd53b70 105195->106177 105197 6bd59b13 105198 6bd386c0 24 API calls 105197->105198 105199 6bd59b20 105198->105199 105200 6bd59b28 GetFileAttributesA 105199->105200 105201 6bd59b49 SHGetFolderPathA 105200->105201 105225 6bd59b3d 105200->105225 105202 6bd59b90 105201->105202 105201->105225 105204 6bd37a70 27 API calls 105202->105204 105203 6bd386c0 24 API calls 105205 6bd59e85 105203->105205 105206 6bd59bb5 105204->105206 105205->105099 105207 6bd45700 27 API calls 105206->105207 105208 6bd59be3 105207->105208 105209 6bd53b70 27 API calls 105208->105209 105210 6bd59c10 105209->105210 105211 6bd45700 27 API calls 105210->105211 105212 6bd59c3b 105211->105212 105213 6bd386c0 24 API calls 105212->105213 105214 6bd59c4b 105213->105214 105215 6bd386c0 24 API calls 105214->105215 105216 6bd59c56 105215->105216 105217 6bd386c0 24 API calls 105216->105217 105218 6bd59c61 105217->105218 105219 6bd59c6c GetFileAttributesA 105218->105219 105220 6bd59c8d CoInitialize 105219->105220 105221 6bd59c81 105219->105221 106180 6bd381c0 105220->106180 105224 6bd386c0 24 API calls 105221->105224 105223 6bd59cad CoCreateInstance 105226 6bd59e4f CoUninitialize 105223->105226 105227 6bd59cf2 105223->105227 105224->105225 105225->105203 105226->105221 105227->105226 105229 6bd37a70 27 API calls 105228->105229 105231 6bd5a239 105229->105231 105230 6bd5a29b 105233 6bd386c0 24 API calls 105230->105233 105231->105230 106185 6bd57e80 27 API calls 105231->106185 105234 6bd5a2de 105233->105234 105235 6bd59f60 GetModuleFileNameA 105234->105235 105236 6bd37a70 27 API calls 105235->105236 105237 6bd59fc5 105236->105237 105238 6bd37a70 105237->105238 105239 6bd37ab7 105238->105239 106186 6bd37b60 105239->106186 105241 6bd37aec 105242 6bd5a3b0 105241->105242 105243 6bd39490 105242->105243 105244 6bd5a3eb GetModuleHandleA 105243->105244 105245 6bd5a420 std::bad_exception::bad_exception 105244->105245 105246 6bd5a410 105244->105246 105247 6bd5a440 GetModuleFileNameA 105245->105247 105246->105117 105248 6bd5a482 105247->105248 105250 6bd5a4a2 105247->105250 105249 6bd37a70 27 API calls 105248->105249 105249->105250 105250->105246 106194 6bea3b20 105251->106194 105253 6bd59413 FindResourceW 105254 6bd59443 LoadResource SizeofResource LockResource 105253->105254 105255 6bd594e0 ~refcount_ptr 105253->105255 105254->105255 105257 6bd59496 Concurrency::details::ExternalContextBase::~ExternalContextBase _Yarn 105254->105257 105255->105122 106196 6bd584d0 105257->106196 105260 6bd57f81 std::bad_exception::bad_exception 105259->105260 106223 6bd57ca0 105260->106223 105296->105137 105298 6bd38a53 105297->105298 105301 6bd38ba0 105298->105301 105300 6bd38a6d 105300->105142 105302 6bd38bda 105301->105302 105304 6bd38bdf 105301->105304 105305 6bd38d70 27 API calls 105302->105305 105304->105300 105305->105304 105307 6bd45a3d 105306->105307 105344 6bd4b300 105307->105344 105717 6bd4b910 105310->105717 105312 6bd58d64 105314 6bd58dbc 105312->105314 105721 6bd5bb00 105312->105721 105314->105151 105316 6bd58ef1 105315->105316 105317 6bd37220 36 API calls 105316->105317 105318 6bd58f24 105317->105318 105319 6bd4b910 78 API calls 105318->105319 105320 6bd58f3d 105319->105320 105322 6bd5bb00 75 API calls 105320->105322 105323 6bd58f92 105320->105323 105321 6bd36d50 36 API calls 105324 6bd59000 105321->105324 105322->105323 105323->105321 105324->105154 105326 6bd3c18a 105325->105326 105814 6bd3cfd0 105326->105814 105328 6bd3c1aa 105328->105156 105330 6bd4b910 78 API calls 105329->105330 105332 6bd59118 105330->105332 105331 6bd36d50 36 API calls 105335 6bd59209 105331->105335 105334 6bd5912b 105332->105334 105822 6bd5bbc0 105332->105822 105334->105331 105335->105158 105942 6bd461c0 105336->105942 105339 6bd45b28 105339->105164 105340 6bd36d50 36 API calls 105340->105339 105950 6bd4a160 105341->105950 105343 6bd45dbd 105343->105152 105345 6bd4b356 105344->105345 105354 6bd4b4e0 105345->105354 105351 6bd4b40d 105352 6bd45a5f 105351->105352 105371 6bd36d50 105351->105371 105352->105145 105355 6bd4b539 105354->105355 105375 6bd4a830 105355->105375 105358 6bd4a5e0 105488 6bd4ac40 105358->105488 105360 6bd4a5f4 105493 6bd48080 105360->105493 105362 6bd4a615 105363 6bd4a620 105362->105363 105364 6bd4a677 105363->105364 105370 6bd4a66b std::ios_base::_Ios_base_dtor 105363->105370 105498 6bd7c2aa 105364->105498 105367 6bd48080 24 API calls 105368 6bd4a6bf 105367->105368 105506 6bd498c0 71 API calls 2 library calls 105368->105506 105370->105351 105372 6bd36d7e 105371->105372 105714 6bd37220 105372->105714 105384 6bd4a9a0 105375->105384 105379 6bd4a86b 105380 6bd36d50 36 API calls 105379->105380 105383 6bd4a8aa 105379->105383 105380->105383 105381 6bd4a8c3 105381->105358 105383->105381 105395 6bd7bdf2 9 API calls 2 library calls 105383->105395 105396 6bd4ab10 105384->105396 105391 6bd4aa40 105392 6bd4aa87 105391->105392 105466 6bd3bfa0 105392->105466 105394 6bd4aa9d std::ios_base::_Ios_base_dtor 105394->105379 105395->105381 105413 6bd372a0 105396->105413 105399 6bd5ffd7 105401 6bd5ffdc ___std_exception_copy 105399->105401 105400 6bd4aa28 105410 6bd4ab40 105400->105410 105401->105400 105403 6bd5fff8 105401->105403 105427 6beaf2bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 105401->105427 105404 6bd7ced8 Concurrency::details::ExternalContextBase::~ExternalContextBase 105403->105404 105405 6bd60002 Concurrency::cancel_current_task 105403->105405 105429 6bea1da1 RaiseException 105404->105429 105428 6bea1da1 RaiseException 105405->105428 105408 6bd7cef4 105409 6bd7c391 105430 6bd7c18a 105410->105430 105412 6bd4a84f 105412->105391 105414 6bd372fa 105413->105414 105415 6bd373df 105413->105415 105417 6bd3730b 105414->105417 105423 6bea1da1 RaiseException 105414->105423 105415->105399 105424 6bd373f0 35 API calls 105417->105424 105419 6bd373b2 105425 6bd37440 27 API calls 105419->105425 105421 6bd373c7 105426 6bea1da1 RaiseException 105421->105426 105423->105417 105424->105419 105425->105421 105426->105415 105427->105401 105428->105409 105429->105408 105431 6bd7c196 __EH_prolog3 105430->105431 105442 6bd7bd4e 105431->105442 105436 6bd7c1b4 105456 6bd7c21d 46 API calls std::locale::_Setgloballocale 105436->105456 105438 6bd7c20f Concurrency::details::ExternalContextBase::~ExternalContextBase 105438->105412 105439 6bd7c1bc 105457 6bd7c014 105439->105457 105441 6bd7c1d2 105448 6bd7bd7f 105441->105448 105443 6bd7bd64 105442->105443 105444 6bd7bd5d 105442->105444 105446 6bd7bd62 105443->105446 105462 6bda7f59 EnterCriticalSection 105443->105462 105461 6beb209a 6 API calls 2 library calls 105444->105461 105446->105441 105455 6bd7c093 5 API calls 2 library calls 105446->105455 105449 6beb20a8 105448->105449 105450 6bd7bd89 105448->105450 105464 6beb2083 LeaveCriticalSection 105449->105464 105451 6bd7bd9c 105450->105451 105463 6bda7f67 LeaveCriticalSection 105450->105463 105451->105438 105454 6beb20af 105454->105438 105455->105436 105456->105439 105458 6bd7c022 105457->105458 105460 6bd7c02e _Yarn ___std_exception_copy 105457->105460 105458->105460 105465 6beb5045 RtlFreeHeap GetLastError ___free_lconv_mon 105458->105465 105460->105441 105461->105446 105462->105446 105463->105451 105464->105454 105465->105460 105467 6bd7bd4e std::_Lockit::_Lockit 7 API calls 105466->105467 105468 6bd3bfe2 105467->105468 105479 6bd39c00 105468->105479 105470 6bd3bff7 105471 6bd3c035 105470->105471 105485 6bd3c820 72 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 105470->105485 105472 6bd7bd7f std::_Lockit::~_Lockit 2 API calls 105471->105472 105473 6bd3c0de 105472->105473 105473->105394 105475 6bd3c052 105476 6bd3c06b 105475->105476 105486 6bd39ef0 RaiseException Concurrency::cancel_current_task 105475->105486 105487 6bd7bf2c RaiseException Concurrency::cancel_current_task ___std_exception_copy 105476->105487 105480 6bd39c1b 105479->105480 105484 6bd39c7a 105479->105484 105481 6bd7bd4e std::_Lockit::_Lockit 7 API calls 105480->105481 105482 6bd39c2c 105481->105482 105483 6bd7bd7f std::_Lockit::~_Lockit 2 API calls 105482->105483 105483->105484 105484->105470 105485->105475 105487->105471 105489 6bd5ffd7 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 105488->105489 105490 6bd4acc0 105489->105490 105491 6bd4ab40 48 API calls 105490->105491 105492 6bd4acca 105491->105492 105492->105360 105494 6bd480be 105493->105494 105496 6bd480fd 105494->105496 105497 6bea4f54 24 API calls ___crtDownlevelLCIDToLocaleName 105494->105497 105496->105362 105497->105496 105499 6bd7c2b3 105498->105499 105500 6bd4a690 105499->105500 105507 6beb0be1 105499->105507 105500->105367 105500->105370 105502 6bd7c307 105502->105500 105518 6beb0884 105502->105518 105504 6bd7c322 105504->105500 105522 6beb44b3 105504->105522 105506->105370 105509 6beb0bec ___scrt_is_nonwritable_in_current_image 105507->105509 105508 6beb0bff 105540 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105508->105540 105509->105508 105510 6beb0c1f 105509->105510 105514 6beb0c0f 105510->105514 105526 6bebf5a8 105510->105526 105514->105502 105519 6beb0897 swprintf 105518->105519 105603 6beb0b37 105519->105603 105521 6beb08ac swprintf 105521->105504 105523 6beb44c6 swprintf 105522->105523 105665 6beb4571 105523->105665 105525 6beb44d2 swprintf 105525->105500 105527 6bebf5b4 ___scrt_is_nonwritable_in_current_image 105526->105527 105542 6beb206c EnterCriticalSection 105527->105542 105529 6bebf5c2 105543 6bebf64c 105529->105543 105534 6bebf972 105535 6bebf97d 105534->105535 105562 6beb0633 105535->105562 105539 6beb0c63 105541 6beb0c8c LeaveCriticalSection __fread_nolock 105539->105541 105540->105514 105541->105514 105542->105529 105544 6bebf66f 105543->105544 105545 6bebf6c7 105544->105545 105550 6bebf5cf 105544->105550 105557 6bea4f9a EnterCriticalSection 105544->105557 105558 6bea4fae LeaveCriticalSection 105544->105558 105547 6beb8f57 ___free_lconv_mon 2 API calls 105545->105547 105548 6bebf6d9 105547->105548 105548->105550 105559 6bebb207 6 API calls std::_Locinfo::_Locinfo_dtor 105548->105559 105554 6bebf608 105550->105554 105551 6bebf6f8 105560 6bea4f9a EnterCriticalSection 105551->105560 105561 6beb2083 LeaveCriticalSection 105554->105561 105556 6beb0c3a 105556->105514 105556->105534 105557->105544 105558->105544 105559->105551 105560->105550 105561->105556 105563 6beb0652 105562->105563 105564 6beb0665 105563->105564 105568 6beb067a 105563->105568 105578 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105564->105578 105566 6beb0675 105566->105539 105575 6bec8830 105566->105575 105573 6beb079a 105568->105573 105579 6beb286a 45 API calls ___crtDownlevelLCIDToLocaleName 105568->105579 105570 6beb07ea 105570->105573 105580 6beb286a 45 API calls ___crtDownlevelLCIDToLocaleName 105570->105580 105572 6beb0808 105572->105573 105581 6beb286a 45 API calls ___crtDownlevelLCIDToLocaleName 105572->105581 105573->105566 105582 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105573->105582 105583 6bec8be8 105575->105583 105578->105566 105579->105570 105580->105572 105581->105573 105582->105566 105585 6bec8bf4 ___scrt_is_nonwritable_in_current_image 105583->105585 105584 6bec8bfb 105601 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105584->105601 105585->105584 105586 6bec8c26 105585->105586 105592 6bec8850 105586->105592 105591 6bec884b 105591->105539 105593 6beb5e18 __wsopen_s 45 API calls 105592->105593 105594 6bec8872 105593->105594 105595 6bea46a2 __wsopen_s 7 API calls 105594->105595 105596 6bec887f 105595->105596 105597 6bec8886 105596->105597 105598 6bec88be __wsopen_s 94 API calls 105596->105598 105599 6bec88b8 105597->105599 105600 6beb8f57 ___free_lconv_mon RtlFreeHeap GetLastError 105597->105600 105598->105597 105602 6bec8c7d LeaveCriticalSection __wsopen_s 105599->105602 105600->105599 105601->105591 105602->105591 105605 6beb0b43 ___scrt_is_nonwritable_in_current_image 105603->105605 105604 6beb0b49 105626 6beb1b20 24 API calls 2 library calls 105604->105626 105605->105604 105607 6beb0b8c 105605->105607 105614 6bea4f9a EnterCriticalSection 105607->105614 105609 6beb0b98 105615 6beb0a4b 105609->105615 105611 6beb0bae 105627 6beb0bd7 LeaveCriticalSection __fread_nolock 105611->105627 105613 6beb0b64 105613->105521 105614->105609 105616 6beb0a5e 105615->105616 105617 6beb0a71 105615->105617 105616->105611 105628 6beb0972 105617->105628 105619 6beb0a94 105620 6beb0aaf 105619->105620 105625 6beb0b22 105619->105625 105641 6beb51cb 29 API calls 3 library calls 105619->105641 105632 6beb46c9 105620->105632 105625->105611 105626->105613 105627->105613 105629 6beb0983 105628->105629 105631 6beb09db 105628->105631 105629->105631 105642 6bebf74e 26 API calls 2 library calls 105629->105642 105631->105619 105633 6beb0ac2 105632->105633 105634 6beb46e2 105632->105634 105638 6bebf78e 105633->105638 105634->105633 105643 6beb085d 105634->105643 105636 6beb46fe 105648 6bec17a6 105636->105648 105659 6bebf8ef 105638->105659 105640 6bebf7a7 105640->105625 105641->105620 105642->105631 105644 6beb087e 105643->105644 105645 6beb0869 105643->105645 105644->105636 105646 6beb1977 ___crtDownlevelLCIDToLocaleName 24 API calls 105645->105646 105647 6beb0879 105646->105647 105647->105636 105650 6bec17b2 ___scrt_is_nonwritable_in_current_image 105648->105650 105649 6bec17ba 105649->105633 105650->105649 105651 6bec17f3 105650->105651 105653 6bec1839 105650->105653 105652 6beb1b20 __snprintf_s 24 API calls 105651->105652 105652->105649 105654 6beb1091 __wsopen_s EnterCriticalSection 105653->105654 105655 6bec183f 105654->105655 105656 6bec185d 105655->105656 105657 6bec158a __wsopen_s 68 API calls 105655->105657 105658 6bec18af __wsopen_s LeaveCriticalSection 105656->105658 105657->105656 105658->105649 105660 6beb0ca3 __wsopen_s 24 API calls 105659->105660 105661 6bebf901 105660->105661 105662 6bebf91d SetFilePointerEx 105661->105662 105664 6bebf909 __wsopen_s 105661->105664 105663 6bebf935 GetLastError 105662->105663 105662->105664 105663->105664 105664->105640 105666 6beb457d ___scrt_is_nonwritable_in_current_image 105665->105666 105667 6beb45aa 105666->105667 105668 6beb4587 105666->105668 105671 6beb45a2 105667->105671 105676 6bea4f9a EnterCriticalSection 105667->105676 105691 6beb1b20 24 API calls 2 library calls 105668->105691 105671->105525 105672 6beb45c8 105677 6beb44e3 105672->105677 105674 6beb45d5 105692 6beb4600 LeaveCriticalSection __fread_nolock 105674->105692 105676->105672 105678 6beb4513 105677->105678 105679 6beb44f0 105677->105679 105681 6beb46c9 ___scrt_uninitialize_crt 70 API calls 105678->105681 105682 6beb450b 105678->105682 105704 6beb1b20 24 API calls 2 library calls 105679->105704 105683 6beb452b 105681->105683 105682->105674 105693 6bebd88c 105683->105693 105686 6beb085d __fread_nolock 24 API calls 105687 6beb453f 105686->105687 105697 6bec1300 105687->105697 105690 6beb8f57 ___free_lconv_mon 2 API calls 105690->105682 105691->105671 105692->105671 105694 6bebd8a3 105693->105694 105696 6beb4533 105693->105696 105695 6beb8f57 ___free_lconv_mon 2 API calls 105694->105695 105694->105696 105695->105696 105696->105686 105698 6bec1329 105697->105698 105699 6beb4546 105697->105699 105700 6bec1378 105698->105700 105702 6bec1350 105698->105702 105699->105682 105699->105690 105713 6beb1b20 24 API calls 2 library calls 105700->105713 105705 6bec13a3 105702->105705 105704->105682 105706 6bec13af ___scrt_is_nonwritable_in_current_image 105705->105706 105707 6beb1091 __wsopen_s EnterCriticalSection 105706->105707 105708 6bec13bd 105707->105708 105709 6bec1260 __wsopen_s 27 API calls 105708->105709 105710 6bec13ee 105708->105710 105709->105710 105711 6bec1428 LeaveCriticalSection 105710->105711 105712 6bec1411 105711->105712 105712->105699 105713->105699 105715 6bd372a0 36 API calls 105714->105715 105716 6bd36dab 105715->105716 105716->105352 105718 6bd4b960 105717->105718 105724 6bd4bdb0 105718->105724 105720 6bd4b987 105720->105312 105736 6bd47730 105721->105736 105722 6bd5bba5 105722->105314 105725 6bd4bdfb 105724->105725 105726 6bd4be03 105725->105726 105728 6bd4be2d 105725->105728 105727 6bd36d50 36 API calls 105726->105727 105730 6bd4be21 105727->105730 105732 6bd4be4f 105728->105732 105735 6bd36ee0 36 API calls 105728->105735 105730->105720 105731 6bd36d50 36 API calls 105731->105730 105733 6bd3bfa0 72 API calls 105732->105733 105734 6bd4bea5 std::ios_base::_Ios_base_dtor 105732->105734 105733->105734 105734->105730 105734->105731 105735->105732 105737 6bd47796 105736->105737 105743 6bd4785f 105737->105743 105744 6bd47e50 105737->105744 105741 6bd478bd 105741->105743 105752 6beb4ac0 105741->105752 105743->105722 105745 6bd47e72 105744->105745 105747 6bd4784f 105744->105747 105745->105747 105762 6beb57cd 74 API calls swprintf 105745->105762 105747->105741 105747->105743 105748 6beb08be 105747->105748 105749 6beb08d1 swprintf 105748->105749 105750 6beb0b37 73 API calls 105749->105750 105751 6beb08e6 swprintf 105750->105751 105751->105741 105753 6beb4acb 105752->105753 105754 6beb4ae0 105752->105754 105767 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105753->105767 105755 6beb4ae8 105754->105755 105756 6beb4afd 105754->105756 105768 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105755->105768 105763 6beb5195 105756->105763 105759 6beb4af8 105759->105743 105760 6beb4adb 105760->105743 105762->105747 105764 6beb51a9 swprintf 105763->105764 105769 6beb573e 105764->105769 105766 6beb51b5 swprintf 105766->105759 105767->105760 105768->105759 105770 6beb574a ___scrt_is_nonwritable_in_current_image 105769->105770 105771 6beb5751 105770->105771 105772 6beb5774 105770->105772 105795 6beb1b20 24 API calls 2 library calls 105771->105795 105780 6bea4f9a EnterCriticalSection 105772->105780 105775 6beb5782 105781 6beb559d 105775->105781 105776 6beb576a 105776->105766 105778 6beb5791 105796 6beb57c3 LeaveCriticalSection __fread_nolock 105778->105796 105780->105775 105782 6beb55ac 105781->105782 105783 6beb55d4 105781->105783 105800 6beb1b20 24 API calls 2 library calls 105782->105800 105785 6beb085d __fread_nolock 24 API calls 105783->105785 105787 6beb55dd 105785->105787 105786 6beb55c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 105786->105778 105797 6bebf7ac 105787->105797 105790 6beb5687 105801 6beb5227 29 API calls 4 library calls 105790->105801 105791 6beb569e 105791->105786 105802 6beb53d2 28 API calls 2 library calls 105791->105802 105793 6beb5696 105793->105786 105795->105776 105796->105776 105803 6bebf7ca 105797->105803 105800->105786 105801->105793 105802->105786 105806 6bebf7d6 ___scrt_is_nonwritable_in_current_image 105803->105806 105804 6beb55fb 105804->105786 105804->105790 105804->105791 105805 6bebf819 105807 6beb1b20 __snprintf_s 24 API calls 105805->105807 105806->105804 105806->105805 105808 6bebf85f 105806->105808 105807->105804 105809 6beb1091 __wsopen_s EnterCriticalSection 105808->105809 105810 6bebf865 105809->105810 105811 6bebf886 105810->105811 105812 6bebf8ef __fread_nolock 26 API calls 105810->105812 105813 6bebf8e7 LeaveCriticalSection 105811->105813 105812->105811 105813->105804 105815 6bd3d02a 105814->105815 105817 6bd3d03c 105815->105817 105820 6bd37ef0 25 API calls 105815->105820 105819 6bd3d075 105817->105819 105821 6bd38130 27 API calls 105817->105821 105819->105328 105821->105819 105825 6bd46f20 105822->105825 105823 6bd5bc16 105823->105334 105828 6bd4700a 105825->105828 105829 6bd46fec 105825->105829 105826 6bd471c4 105826->105829 105831 6beb4e4f 105826->105831 105827 6beb4e4f __fread_nolock 42 API calls 105827->105828 105828->105826 105828->105827 105828->105829 105829->105823 105834 6beb4db2 105831->105834 105836 6beb4dbe ___scrt_is_nonwritable_in_current_image 105834->105836 105835 6beb4df6 105835->105829 105836->105835 105837 6beb4e08 105836->105837 105841 6beb4dd1 std::bad_exception::bad_exception 105836->105841 105845 6bea4f9a EnterCriticalSection 105837->105845 105839 6beb4e12 105846 6beb4e6c 105839->105846 105855 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105841->105855 105845->105839 105848 6beb4e29 105846->105848 105851 6beb4e7e std::bad_exception::bad_exception 105846->105851 105856 6beb4e47 LeaveCriticalSection __fread_nolock 105848->105856 105850 6beb4e8b std::bad_exception::bad_exception 105876 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105850->105876 105851->105848 105851->105850 105853 6beb085d __fread_nolock 24 API calls 105851->105853 105857 6bec2059 105851->105857 105877 6bea9896 24 API calls 3 library calls 105851->105877 105878 6bec2622 105851->105878 105853->105851 105855->105835 105856->105835 105858 6bec2064 105857->105858 105859 6bec2089 105858->105859 105860 6bec2071 105858->105860 105862 6bec20e8 105859->105862 105870 6bec2081 105859->105870 105927 6bec3a51 RtlFreeHeap GetLastError ___free_lconv_mon 105859->105927 105926 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105860->105926 105864 6beb085d __fread_nolock 24 API calls 105862->105864 105865 6bec2101 105864->105865 105915 6bec2509 105865->105915 105870->105851 105876->105848 105877->105851 105879 6bec264c 105878->105879 105880 6bec2634 __dosmaperr 105878->105880 105879->105880 105882 6bec26ca 105879->105882 105883 6bec269a __dosmaperr 105879->105883 105880->105851 105884 6bec26e3 105882->105884 105885 6bec271e 105882->105885 105887 6bec26f0 __dosmaperr 105882->105887 105940 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105883->105940 105884->105887 105907 6bec270c 105884->105907 105886 6beb8f91 __fread_nolock 3 API calls 105885->105886 105889 6bec272f 105886->105889 105936 6beb1977 24 API calls ___crtDownlevelLCIDToLocaleName 105887->105936 105890 6beb8f57 ___free_lconv_mon 2 API calls 105889->105890 105894 6bec2738 105890->105894 105893 6bec286a 105906 6beb8f57 ___free_lconv_mon 2 API calls 105906->105880 105931 6bec61ff 105907->105931 105913 6bec2707 __fread_nolock __dosmaperr 105913->105906 105926->105870 105927->105862 105933 6bec620c 105931->105933 105934 6bec6219 105931->105934 105933->105893 105936->105913 105940->105880 105945 6bd461d4 105942->105945 105943 6bd4622c 105944 6bd48080 24 API calls 105943->105944 105946 6bd45af3 105944->105946 105945->105943 105947 6bd47e50 74 API calls 105945->105947 105946->105339 105946->105340 105948 6bd461f7 105947->105948 105949 6beb44b3 75 API calls 105948->105949 105949->105943 105953 6bd45fe0 105950->105953 105952 6bd4a1b9 105952->105343 105954 6bd4602a 105953->105954 105955 6bd4604e 105954->105955 105956 6bd461c0 77 API calls 105954->105956 105955->105952 105956->105955 105958 6bd395dc 105957->105958 105960 6bd395f2 105958->105960 105961 6bd390e0 24 API calls 105958->105961 105960->105168 105961->105960 106023 6bd3fd80 105962->106023 105964 6bd41156 106044 6bd40020 105964->106044 105966 6bd4120f CryptAcquireContextW 105968 6bd41292 105966->105968 105969 6bd4125b 105966->105969 105972 6bd412c5 CryptImportKey 105968->105972 106098 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 105969->106098 105971 6bd41274 106099 6bea1da1 RaiseException 105971->106099 105974 6bd41329 105972->105974 105975 6bd4137b 105972->105975 106100 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 105974->106100 105977 6bd41383 CryptSetKeyParam 105975->105977 105976 6bd41059 105976->105964 106097 6bd40dd0 27 API calls 105976->106097 105978 6bd4141a CryptSetKeyParam 105977->105978 105987 6bd413b4 105977->105987 105982 6bd414c1 105978->105982 105983 6bd4145b 105978->105983 105979 6bd40000 24 API calls 105981 6bd416c2 105979->105981 106106 6bd41870 27 API calls 105982->106106 106104 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 105983->106104 105984 6bd4135d 106101 6bea1da1 RaiseException 105984->106101 106102 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 105987->106102 105988 6bd4128d 105988->105979 105993 6bd413fc 106103 6bea1da1 RaiseException 105993->106103 106114 6bd39490 106023->106114 106025 6bd3fdca CryptStringToBinaryA 106026 6bd3fe12 106025->106026 106027 6bd3fe3b 106025->106027 106116 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106026->106116 106118 6bd3ff80 27 API calls 106027->106118 106029 6bd3fe23 106117 6bea1da1 RaiseException 106029->106117 106032 6bd3fe5c 106033 6bd3fe72 CryptStringToBinaryA 106032->106033 106034 6bd3feb9 106033->106034 106035 6bd3feee 106033->106035 106119 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106034->106119 106037 6bd3ff04 106035->106037 106039 6bd40000 24 API calls 106035->106039 106037->105976 106038 6bd3fecc 106120 6bea1da1 RaiseException 106038->106120 106039->106037 106041 6bd3fee9 106042 6bd40000 24 API calls 106041->106042 106043 6bd3ff2f 106042->106043 106043->105976 106045 6bd4006c 106044->106045 106046 6bd40074 CryptAcquireContextW 106045->106046 106047 6bd400bc 106046->106047 106052 6bd400f7 106046->106052 106121 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106047->106121 106049 6bd400d2 106122 6bea1da1 RaiseException 106049->106122 106051 6bd40000 24 API calls 106053 6bd4081f 106051->106053 106054 6bd40661 106052->106054 106055 6bd40121 CryptCreateHash 106052->106055 106061 6bd401d3 CryptHashData 106052->106061 106069 6bd403b9 CryptHashData 106052->106069 106084 6bd4051f CryptGetHashParam 106052->106084 106127 6bd409e0 27 API calls 106052->106127 106128 6bd40be0 27 API calls 106052->106128 106133 6bd40d90 27 API calls 106052->106133 106136 6bd40dd0 27 API calls 106052->106136 106053->105966 106137 6bd40f20 27 API calls 106054->106137 106055->106052 106056 6bd4015a 106055->106056 106123 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106056->106123 106058 6bd40188 106124 6bea1da1 RaiseException 106058->106124 106060 6bd400f2 106060->106051 106061->106052 106063 6bd40205 106061->106063 106125 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106063->106125 106066 6bd40244 106126 6bea1da1 RaiseException 106066->106126 106068 6bd406fe 106138 6bd40f20 27 API calls 106068->106138 106071 6bd4044b CryptGetHashParam 106069->106071 106072 6bd403eb 106069->106072 106071->106052 106074 6bd4049d 106071->106074 106129 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106072->106129 106073 6bd407cc 106076 6bd40000 24 API calls 106073->106076 106131 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106074->106131 106078 6bd407dc 106076->106078 106079 6bd40000 24 API calls 106078->106079 106081 6bd407e4 106079->106081 106085 6bd40000 24 API calls 106081->106085 106083 6bd4042d 106130 6bea1da1 RaiseException 106083->106130 106084->106052 106088 6bd40559 106084->106088 106089 6bd407ec 106085->106089 106086 6bd404df 106132 6bea1da1 RaiseException 106086->106132 106134 6bd3ff40 24 API calls std::invalid_argument::invalid_argument 106088->106134 106091 6bd40000 24 API calls 106089->106091 106092 6bd407f4 106091->106092 106092->105966 106094 6bd4059b 106135 6bea1da1 RaiseException 106094->106135 106097->105964 106098->105971 106099->105988 106100->105984 106101->105988 106102->105993 106103->105988 106115 6bd394ad 106114->106115 106115->106025 106116->106029 106117->106027 106118->106032 106119->106038 106120->106041 106121->106049 106122->106060 106123->106058 106124->106060 106125->106066 106126->106060 106127->106052 106128->106052 106129->106083 106130->106060 106131->106086 106132->106060 106133->106052 106134->106094 106135->106060 106136->106052 106137->106068 106138->106073 106181 6bd38a80 106177->106181 106179 6bd53ba5 106179->105197 106180->105223 106182 6bd38ab9 106181->106182 106183 6bd38ba0 27 API calls 106182->106183 106184 6bd38ad0 106183->106184 106184->106179 106185->105230 106187 6bd37bd3 106186->106187 106189 6bd37be5 106187->106189 106192 6bd37ef0 25 API calls 106187->106192 106191 6bd37c34 106189->106191 106193 6bd38130 27 API calls 106189->106193 106191->105241 106193->106191 106195 6bea3b38 106194->106195 106195->105253 106195->106195 106197 6bd37a70 27 API calls 106196->106197 106240 6bd59988 106237->106240 106238 6bd37a70 27 API calls 106238->106240 106240->106238 106241 6bd386c0 24 API calls 106240->106241 106242 6bd599d7 106240->106242 106244 6bd59a28 Sleep 106240->106244 106488 6bd59550 CreateToolhelp32Snapshot 106240->106488 106241->106240 106243 6bd37a70 27 API calls 106242->106243 106245 6bd599f0 106243->106245 106244->106240 106501 6bd59770 29 API calls 106245->106501 106247 6bd59a06 106248 6bd386c0 24 API calls 106247->106248 106249 6bd59a13 106248->106249 106251 6bd52180 __wsopen_s 106250->106251 106252 6bd37a70 27 API calls 106251->106252 106489 6bd595bb 106488->106489 106490 6bd595c4 std::bad_exception::bad_exception 106488->106490 106489->106240 106491 6bd595e4 Process32FirstW 106490->106491 106492 6bd596fd CloseHandle 106491->106492 106493 6bd5960d 106491->106493 106492->106489 106494 6bd59612 WideCharToMultiByte 106493->106494 106495 6bd37a70 27 API calls 106494->106495 106497 6bd5966e 106495->106497 106496 6bd386c0 24 API calls 106496->106497 106497->106496 106498 6bd596a3 CloseHandle 106497->106498 106499 6bd596c2 Process32NextW 106497->106499 106498->106489 106499->106494 106500 6bd596f3 106499->106500 106500->106492 106501->106247 107543 10005eb2 Sleep 107544 10006f17 77 API calls 107543->107544 107545 10005ec9 107544->107545 106709 10006013 106710 10006045 106709->106710 106711 10020003 106710->106711 106714 1000608a 106710->106714 106717 10005e07 106710->106717 106715 100060a0 RegOpenKeyExW 106714->106715 106716 10003f35 106715->106716 106716->106716 106718 1001f0f9 RegQueryValueExW 106717->106718 106719 10003f35 106718->106719 106719->106719 107546 10004274 107547 1001f814 CreateThread 107546->107547 107549 10006110 107547->107549 107549->107549 107550 6beb25d2 107551 6beb25df 107550->107551 107552 6beb2609 107551->107552 107555 6beb25eb std::bad_exception::bad_exception 107551->107555 107566 6beb2594 25 API calls ___crtDownlevelLCIDToLocaleName 107551->107566 107556 6bec0382 107552->107556 107557 6bec038f 107556->107557 107558 6bec039a 107556->107558 107559 6beb8f91 __fread_nolock 3 API calls 107557->107559 107560 6bec03a2 107558->107560 107564 6bec03ab __fread_nolock 107558->107564 107561 6bec0397 107559->107561 107562 6beb8f57 ___free_lconv_mon 2 API calls 107560->107562 107561->107555 107562->107561 107563 6bec03d5 RtlReAllocateHeap 107563->107561 107563->107564 107564->107561 107564->107563 107567 6beaf2bb EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 107564->107567 107566->107552 107567->107564 107568 6bea1c53 107569 6bea1c5c 107568->107569 107570 6bea1c61 107568->107570 107585 6bea1c76 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 107569->107585 107574 6bea1b48 107570->107574 107575 6bea1b54 ___scrt_is_nonwritable_in_current_image 107574->107575 107576 6bea1b7d dllmain_raw 107575->107576 107580 6bea1b78 __DllMainCRTStartup@12 107575->107580 107582 6bea1b63 107575->107582 107577 6bea1b97 dllmain_crt_dispatch 107576->107577 107576->107582 107577->107580 107577->107582 107578 6bea1be9 107579 6bea1bf2 dllmain_crt_dispatch 107578->107579 107578->107582 107581 6bea1c05 dllmain_raw 107579->107581 107579->107582 107580->107578 107586 6bea1a1c 120 API calls 4 library calls 107580->107586 107581->107582 107584 6bea1bde dllmain_raw 107584->107578 107585->107570 107586->107584 106720 3ae0032 106730 3ae0ae4 GetPEB 106720->106730 106723 3ae0ae4 GetPEB 106724 3ae02a7 106723->106724 106725 3ae04a6 GetNativeSystemInfo 106724->106725 106728 3ae0a02 106724->106728 106726 3ae04d3 VirtualAlloc 106725->106726 106725->106728 106727 3ae04ec 106726->106727 106732 10007813 106727->106732 106731 3ae029b 106730->106731 106731->106723 106733 10007823 106732->106733 106734 1000781e 106732->106734 106738 1000771d 106733->106738 106746 1000b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 106734->106746 106737 10007831 106737->106728 106739 10007729 _flsall 106738->106739 106743 100077c6 _flsall 106739->106743 106744 10007776 106739->106744 106747 100075b9 106739->106747 106741 100077a6 106742 100075b9 __CRT_INIT@12 149 API calls 106741->106742 106741->106743 106742->106743 106743->106737 106744->106741 106744->106743 106745 100075b9 __CRT_INIT@12 149 API calls 106744->106745 106745->106741 106746->106733 106748 100075c5 _flsall 106747->106748 106749 10007647 106748->106749 106750 100075cd 106748->106750 106752 100076a8 106749->106752 106753 1000764d 106749->106753 106798 1000803b HeapCreate 106750->106798 106754 10007706 106752->106754 106755 100076ad 106752->106755 106758 1000766b 106753->106758 106767 100075d6 _flsall 106753->106767 106823 10008306 66 API calls _doexit 106753->106823 106754->106767 106829 10009a58 79 API calls __freefls@4 106754->106829 106757 10009754 ___set_flsgetvalue 3 API calls 106755->106757 106756 100075d2 106756->106767 106817 10009ac6 86 API calls 4 library calls 106756->106817 106760 100076b2 106757->106760 106763 1000767f 106758->106763 106824 1000b0e4 67 API calls _free 106758->106824 106765 10009fe4 __calloc_crt 66 API calls 106760->106765 106827 10007692 70 API calls __mtterm 106763->106827 106769 100076be 106765->106769 106766 100075e2 __RTC_Initialize 106776 100075f2 GetCommandLineA 106766->106776 106791 100075e6 106766->106791 106767->106744 106769->106767 106771 100076ca DecodePointer 106769->106771 106770 10007675 106825 100097a5 70 API calls _free 106770->106825 106777 100076df 106771->106777 106774 100075eb 106774->106767 106775 1000767a 106826 10008059 HeapDestroy 106775->106826 106799 1000b468 71 API calls 2 library calls 106776->106799 106781 100076e3 106777->106781 106782 100076fa 106777->106782 106780 10007602 106800 1000ae9f 73 API calls __calloc_crt 106780->106800 106784 100097e2 __CRT_INIT@12 66 API calls 106781->106784 106828 10006e49 66 API calls 2 library calls 106782->106828 106787 100076ea GetCurrentThreadId 106784->106787 106786 1000760c 106788 10007610 106786->106788 106820 1000b3ad 95 API calls 3 library calls 106786->106820 106787->106767 106819 100097a5 70 API calls _free 106788->106819 106818 10008059 HeapDestroy 106791->106818 106792 1000761c 106793 10007630 106792->106793 106801 1000b137 106792->106801 106793->106774 106822 1000b0e4 67 API calls _free 106793->106822 106798->106756 106799->106780 106800->106786 106802 1000b140 106801->106802 106806 1000b145 _strlen 106801->106806 106830 1000de61 94 API calls __setmbcp 106802->106830 106804 10007625 106804->106793 106821 10008119 77 API calls 4 library calls 106804->106821 106805 10009fe4 __calloc_crt 66 API calls 106809 1000b17a _strlen 106805->106809 106806->106804 106806->106805 106807 1000b1c9 106832 10006e49 66 API calls 2 library calls 106807->106832 106809->106804 106809->106807 106810 10009fe4 __calloc_crt 66 API calls 106809->106810 106811 1000b1ef 106809->106811 106814 1000b206 106809->106814 106831 10007f48 66 API calls ___strgtold12_l 106809->106831 106810->106809 106833 10006e49 66 API calls 2 library calls 106811->106833 106834 100086b0 10 API calls __call_reportfault 106814->106834 106816 1000b212 106817->106766 106818->106774 106819->106791 106820->106792 106821->106793 106822->106788 106823->106758 106824->106770 106825->106775 106826->106763 106827->106767 106828->106767 106829->106767 106830->106806 106831->106809 106832->106804 106833->106804 106834->106816 107587 6bd44aa8 107588 6bd44ec6 107587->107588 107589 6bd37a70 27 API calls 107588->107589 107590 6bd44ee5 107589->107590 107591 6bd45700 27 API calls 107590->107591 107592 6bd44f16 107591->107592 107593 6bd386c0 24 API calls 107592->107593 107594 6bd44f4c 107593->107594 107595 6bd386c0 24 API calls 107594->107595 107596 6bd44f57 107595->107596 107597 6bd37a70 27 API calls 107596->107597 107598 6bd44f76 107597->107598 107599 6bd45700 27 API calls 107598->107599 107600 6bd44fa7 107599->107600 107601 6bd386c0 24 API calls 107600->107601 107602 6bd44fb7 107601->107602 107603 6bd44fcd CopyFileA 107602->107603 107604 6bd44ff5 107603->107604 107605 6bd4502d 107603->107605 107607 6bd34470 36 API calls 107604->107607 107606 6bd37a70 27 API calls 107605->107606 107608 6bd45071 107606->107608 107609 6bd45013 107607->107609 107610 6bd45700 27 API calls 107608->107610 107675 6bd45810 36 API calls 107609->107675 107612 6bd450a2 107610->107612 107613 6bd386c0 24 API calls 107612->107613 107614 6bd450b2 107613->107614 107615 6bd450c8 CopyFileA 107614->107615 107616 6bd450f0 107615->107616 107617 6bd45128 107615->107617 107618 6bd34470 36 API calls 107616->107618 107619 6bd37a70 27 API calls 107617->107619 107620 6bd4510e 107618->107620 107621 6bd451b9 107619->107621 107676 6bd45810 36 API calls 107620->107676 107623 6bd45700 27 API calls 107621->107623 107624 6bd451ea 107623->107624 107625 6bd459d0 131 API calls 107624->107625 107626 6bd45223 107625->107626 107627 6bd386c0 24 API calls 107626->107627 107628 6bd45236 107627->107628 107629 6bd386c0 24 API calls 107628->107629 107630 6bd45241 107629->107630 107641 6bd4525e 107630->107641 107677 6bd45aa0 78 API calls 107630->107677 107632 6bd452d6 CreateProcessA 107636 6bd4534e 107632->107636 107637 6bd4533f 107632->107637 107633 6bd452ac 107678 6bd44910 OpenProcess CloseHandle 107633->107678 107634 6bd45282 107640 6bd45ad0 83 API calls 107634->107640 107639 6bd37a70 27 API calls 107636->107639 107643 6bd45da0 77 API calls 107637->107643 107638 6bd452ba 107638->107632 107642 6bd452c7 107638->107642 107644 6bd4536a 107639->107644 107640->107641 107641->107632 107641->107633 107642->107637 107645 6bd45484 107643->107645 107647 6bd45700 27 API calls 107644->107647 107646 6bd386c0 24 API calls 107645->107646 107648 6bd4548f 107646->107648 107649 6bd45398 107647->107649 107650 6bd386c0 24 API calls 107648->107650 107651 6bd45760 131 API calls 107649->107651 107652 6bd4549a 107650->107652 107653 6bd453d1 107651->107653 107654 6bd45d70 77 API calls 107652->107654 107656 6bd386c0 24 API calls 107653->107656 107655 6bd454a5 107654->107655 107657 6bd453e4 107656->107657 107658 6bd386c0 24 API calls 107657->107658 107659 6bd453ec 107658->107659 107665 6bd453ff CloseHandle CloseHandle 107659->107665 107666 6bd45b30 107659->107666 107662 6bd45d70 77 API calls 107662->107642 107664 6bd45870 83 API calls 107664->107665 107665->107662 107667 6bd369d0 36 API calls 107666->107667 107668 6bd45b7d 107667->107668 107671 6bd398c0 71 API calls 107668->107671 107674 6bd45b90 std::ios_base::_Ios_base_dtor 107668->107674 107669 6bd36d50 36 API calls 107670 6bd45cb3 107669->107670 107672 6bd36dc0 36 API calls 107670->107672 107671->107674 107673 6bd45423 107672->107673 107673->107664 107674->107669 107675->107605 107676->107617 107677->107634 107678->107638 107679 1001f63d send 106835 1001f0df 106842 10002c60 WSAStartup CreateEventW InterlockedExchange 106835->106842 106838 1001f0e4 106839 1001f7db 106838->106839 106845 10006f17 106838->106845 106857 10005a20 CreateEventW 106839->106857 106843 10006815 ___strgtold12_l 5 API calls 106842->106843 106844 10002cff 106843->106844 106844->106838 106847 10006f21 106845->106847 106846 10006e83 _malloc 66 API calls 106846->106847 106847->106846 106848 10006f3b 106847->106848 106850 10006f3d std::exception::exception 106847->106850 106885 10008550 DecodePointer 106847->106885 106848->106838 106851 10006f7b 106850->106851 106886 100073e9 76 API calls __cinit 106850->106886 106887 10006e24 66 API calls std::exception::operator= 106851->106887 106853 10006f85 106888 10007836 RaiseException 106853->106888 106856 10006f96 106858 10005a83 106857->106858 106859 10005a79 106857->106859 106889 10006410 HeapCreate 106858->106889 106895 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106859->106895 106863 10005b12 106896 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106863->106896 106864 10005b1c CreateEventW 106865 10005b55 106864->106865 106866 10005b5f CreateEventW 106864->106866 106897 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106865->106897 106869 10005b84 CreateEventW 106866->106869 106870 10005b7a 106866->106870 106872 10005ba9 InitializeCriticalSectionAndSpinCount 106869->106872 106873 10005b9f 106869->106873 106898 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106870->106898 106875 10005c77 InitializeCriticalSectionAndSpinCount 106872->106875 106876 10005c6d 106872->106876 106899 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106873->106899 106878 10005c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 106875->106878 106879 10005c8e 106875->106879 106900 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106876->106900 106881 100067ff 77 API calls 106878->106881 106901 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106879->106901 106882 10005d2b 106881->106882 106883 100067ff 77 API calls 106882->106883 106884 10005d3b 106883->106884 106885->106847 106886->106851 106887->106853 106888->106856 106890 10006441 106889->106890 106891 10006437 106889->106891 106893 10005af2 InitializeCriticalSectionAndSpinCount 106890->106893 106903 10006e49 66 API calls 2 library calls 106890->106903 106902 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 106891->106902 106893->106863 106893->106864 106895->106858 106896->106864 106897->106866 106898->106869 106899->106872 106900->106875 106901->106878 106902->106890 106903->106893 106904 6bd5f70a 106909 6bde6972 106904->106909 106915 6bde0ae2 106909->106915 106911 6bd5f714 106912 6bd6012b 106911->106912 106937 6bd60140 106912->106937 106916 6bde0aee __EH_prolog3 106915->106916 106923 6bd82f60 106916->106923 106918 6bde0b26 106919 6bde0b2f GetProfileIntW GetProfileIntW 106918->106919 106920 6bde0b67 106918->106920 106919->106920 106934 6bd82fd4 LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 106920->106934 106922 6bde0b6e Concurrency::details::ExternalContextBase::~ExternalContextBase 106922->106911 106924 6bd82f6c 106923->106924 106925 6bd82fce 106923->106925 106926 6bd82f7a 106924->106926 106935 6bd82ff8 InitializeCriticalSection 106924->106935 106936 6bd7733a RaiseException Concurrency::cancel_current_task 106925->106936 106929 6bd82f8a EnterCriticalSection 106926->106929 106930 6bd82fbc EnterCriticalSection 106926->106930 106932 6bd82fa1 InitializeCriticalSection 106929->106932 106933 6bd82fb4 LeaveCriticalSection 106929->106933 106930->106918 106932->106933 106933->106930 106934->106922 106935->106926 106938 6bd60156 106937->106938 106939 6bd6014f 106937->106939 106944 6beaf9c7 29 API calls 106938->106944 106943 6beafa38 29 API calls 106939->106943 106942 6bd5f71e 106943->106942 106944->106942

                                                                          Executed Functions

                                                                          Function 04215430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 4215430-42154b7 call 421f707 call 4226770 * 3 gethostname gethostbyname 9 42154bd-4215504 inet_ntoa call 42203cf * 2 0->9 10 421555c-421569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 4217490 GetSystemInfo wsprintfW call 4216c50 call 4216ee0 GetForegroundWindow 0->10 9->10 19 4215506-4215508 9->19 24 42156b2-42156c0 10->24 25 421569f-42156ac GetWindowTextW 10->25 21 4215510-421555a inet_ntoa call 42203cf * 2 19->21 21->10 26 42156c2 24->26 27 42156cc-42156f0 lstrlenW call 4216d70 24->27 25->24 26->27 33 4215702-4215726 call 421f876 27->33 34 42156f2-42156ff call 421f876 27->34 39 4215732-4215756 lstrlenW call 4216d70 33->39 40 4215728 33->40 34->33 43 4215768-42157b9 GetModuleHandleW GetProcAddress 39->43 44 4215758-4215765 call 421f876 39->44 40->39 45 42157c6-42157cd GetSystemInfo 43->45 46 42157bb-42157c4 GetNativeSystemInfo 43->46 44->43 49 42157d3-42157e1 45->49 46->49 50 42157e3-42157eb 49->50 51 42157ed-42157f2 49->51 50->51 52 42157f4 50->52 53 42157f9-4215820 wsprintfW call 4216a70 GetCurrentProcessId 51->53 52->53 56 4215822-421583c OpenProcess 53->56 57 4215885-421588c call 4216690 53->57 56->57 59 421583e-4215853 K32GetProcessImageFileNameW 56->59 63 421589e-42158ab 57->63 64 421588e-421589c 57->64 61 4215855-421585c 59->61 62 421585e-4215866 call 42180f0 59->62 65 421587f CloseHandle 61->65 67 421586b-421586d 62->67 68 42158ac-42159a1 call 421f876 call 4216490 call 4216150 call 421fc0e GetTickCount call 422043c call 42203a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 63->68 64->68 65->57 69 4215878-421587e 67->69 70 421586f-4215876 67->70 83 42159a3-42159c8 68->83 84 42159ca-42159e9 68->84 69->65 70->65 85 42159ea-4215a0f call 4215a30 call 4213160 83->85 84->85 88 4215a11-4215a2e call 421efff call 421f00a 85->88
                                                                          APIs
                                                                            • Part of subcall function 0421F707: _malloc.LIBCMT ref: 0421F721
                                                                          • _memset.LIBCMT ref: 0421546C
                                                                          • _memset.LIBCMT ref: 04215485
                                                                          • _memset.LIBCMT ref: 04215495
                                                                          • gethostname.WS2_32(?,00000032), ref: 042154A3
                                                                          • gethostbyname.WS2_32(?), ref: 042154AD
                                                                          • inet_ntoa.WS2_32 ref: 042154C5
                                                                          • _strcat_s.LIBCMT ref: 042154D8
                                                                          • _strcat_s.LIBCMT ref: 042154F1
                                                                          • inet_ntoa.WS2_32 ref: 0421551A
                                                                          • _strcat_s.LIBCMT ref: 0421552D
                                                                          • _strcat_s.LIBCMT ref: 04215546
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04215573
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04215587
                                                                          • GetLastInputInfo.USER32(?), ref: 0421559A
                                                                          • GetTickCount.KERNEL32 ref: 042155A0
                                                                          • wsprintfW.USER32 ref: 042155D5
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 042155E8
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 042155FC
                                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04215653
                                                                          • wsprintfW.USER32 ref: 0421566C
                                                                          • GetForegroundWindow.USER32 ref: 04215695
                                                                          • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 042156AC
                                                                          • lstrlenW.KERNEL32(000008CC), ref: 042156D3
                                                                          • lstrlenW.KERNEL32(00000994), ref: 04215739
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 042157AA
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 042157B1
                                                                          • GetNativeSystemInfo.KERNEL32(?), ref: 042157C2
                                                                          • GetSystemInfo.KERNEL32(?), ref: 042157CD
                                                                          • wsprintfW.USER32 ref: 04215806
                                                                          • GetCurrentProcessId.KERNEL32 ref: 04215818
                                                                          • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0421582E
                                                                          • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0421584B
                                                                          • CloseHandle.KERNEL32(04235164), ref: 0421587F
                                                                          • GetTickCount.KERNEL32 ref: 042158E9
                                                                          • __time64.LIBCMT ref: 042158F8
                                                                          • __localtime64.LIBCMT ref: 0421592F
                                                                          • wsprintfW.USER32 ref: 04215968
                                                                          • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0421597D
                                                                          • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0421598C
                                                                          • GetCurrentHwProfileW.ADVAPI32(?), ref: 04215999
                                                                            • Part of subcall function 042180F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04218132
                                                                            • Part of subcall function 042180F0: lstrcmpiW.KERNEL32(?,A:\), ref: 04218166
                                                                            • Part of subcall function 042180F0: lstrcmpiW.KERNEL32(?,B:\), ref: 04218176
                                                                            • Part of subcall function 042180F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 042181A6
                                                                            • Part of subcall function 042180F0: lstrlenW.KERNEL32(?), ref: 042181B7
                                                                            • Part of subcall function 042180F0: __wcsnicmp.LIBCMT ref: 042181CE
                                                                            • Part of subcall function 042180F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 04218204
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                          • String ID: %d min$1.0$2024.12. 3$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                          • API String ID: 1101047656-1568689114
                                                                          • Opcode ID: 76f3c29fa2308d0736925b8e4179730c6685ba0282ee21d505f98c6e3e0d315d
                                                                          • Instruction ID: 26edf19566aea7acedef639f85825487f7fee2d2f174d7a1c485abc132cd35e1
                                                                          • Opcode Fuzzy Hash: 76f3c29fa2308d0736925b8e4179730c6685ba0282ee21d505f98c6e3e0d315d
                                                                          • Instruction Fuzzy Hash: C2F1C1F1B10204BBD724DB64DC85FDAB3F8EB94705F008598E60EA7180EA74BA85CF65
                                                                          Function 03AE0032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetNativeSystemInfo.KERNEL32(?), ref: 03AE04AE
                                                                          • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 03AE04DE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocInfoNativeSystemVirtual
                                                                          • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                          • API String ID: 2032221330-2899676511
                                                                          • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                          • Instruction ID: a0b746edbb002d508ef4e4ecd32a19801380616821db48c2a68e19321ea908e7
                                                                          • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                          • Instruction Fuzzy Hash: F3629C715083858FD330CF25C840BABBBE5FF95704F08492EE9C99B251E7B49948CB56
                                                                          Function 0421DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 458 421df10-421df72 call 4220542 Sleep 461 421df74-421df91 call 421f707 call 421fa29 CloseHandle 458->461 462 421df97-421df9d 458->462 461->462 464 421dfa4-421e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 421fa29 CloseHandle call 421f707 462->464 465 421df9f call 4217620 462->465 474 421e028 464->474 475 421e01b-421e026 call 4212c90 464->475 465->464 477 421e02c-421e046 call 421f707 474->477 475->477 481 421e054 477->481 482 421e048-421e049 call 4219730 477->482 483 421e058 481->483 486 421e04e-421e052 482->486 485 421e063-421e06f call 421ce00 483->485 489 421e071-421e0b7 call 421f876 * 2 485->489 490 421e0b9-421e0fa call 421f876 * 2 485->490 486->483 499 421e100-421e110 489->499 490->499 500 421e152-421e15a 499->500 501 421e112-421e14c call 421ce00 call 421f876 * 2 499->501 503 421e162-421e169 500->503 504 421e15c-421e15e 500->504 501->500 506 421e177-421e17b 503->506 507 421e16b-421e175 503->507 504->503 509 421e181-421e187 506->509 507->509 511 421e1c6-421e1ee call 4220542 call 4212da0 509->511 512 421e189-421e1a3 EnumWindows 509->512 519 421e200-421e2ac call 4220542 CreateEventA call 421f876 call 421ca70 511->519 520 421e1f0-421e1fb Sleep 511->520 512->511 515 421e1a5-421e1c4 Sleep EnumWindows 512->515 515->511 515->515 528 421e2b7-421e2bd 519->528 520->485 529 421e318-421e32c call 4215430 528->529 530 421e2bf-421e2f3 Sleep RegOpenKeyExW 528->530 534 421e331-421e337 529->534 531 421e311-421e316 530->531 532 421e2f5-421e30b RegQueryValueExW 530->532 531->528 531->529 532->531 535 421e339-421e365 CloseHandle 534->535 536 421e36a-421e370 534->536 535->485 537 421e390 536->537 538 421e372-421e38e call 421fa29 536->538 541 421e394 537->541 538->541 543 421e396-421e39d 541->543 544 421e40d-421e420 543->544 545 421e39f-421e3ae Sleep 543->545 549 421e432-421e46c call 4220542 Sleep CloseHandle 544->549 550 421e422-421e42c WaitForSingleObject CloseHandle 544->550 545->543 546 421e3b0-421e3b7 545->546 546->544 547 421e3b9-421e3cb 546->547 553 421e3dd-421e408 Sleep CloseHandle 547->553 554 421e3cd-421e3d7 WaitForSingleObject CloseHandle 547->554 549->485 550->549 553->485 554->553
                                                                          APIs
                                                                            • Part of subcall function 04220542: __fassign.LIBCMT ref: 04220538
                                                                          • Sleep.KERNEL32(00000000), ref: 0421DF64
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0421DF91
                                                                          • GetLocalTime.KERNEL32(?), ref: 0421DFA9
                                                                          • wsprintfW.USER32 ref: 0421DFE0
                                                                          • SetUnhandledExceptionFilter.KERNEL32(042175B0), ref: 0421DFEE
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0421E007
                                                                            • Part of subcall function 0421F707: _malloc.LIBCMT ref: 0421F721
                                                                          • EnumWindows.USER32(04215CC0,?), ref: 0421E19D
                                                                          • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0421E1AA
                                                                          • EnumWindows.USER32(04215CC0,?), ref: 0421E1BE
                                                                          • Sleep.KERNEL32(00000BB8), ref: 0421E1F5
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0421E241
                                                                          • Sleep.KERNEL32(00000FA0), ref: 0421E2C4
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0421E2EB
                                                                          • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0421E30B
                                                                          • CloseHandle.KERNEL32(?), ref: 0421E35D
                                                                          • Sleep.KERNEL32(000003E8,?,?), ref: 0421E3A4
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0421E3D0
                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 0421E3D7
                                                                          • Sleep.KERNEL32(000003E8,?,?), ref: 0421E3E2
                                                                          • CloseHandle.KERNEL32(?), ref: 0421E400
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0421E425
                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 0421E42C
                                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 0421E446
                                                                          • CloseHandle.KERNEL32(?), ref: 0421E464
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                          • String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.219$118.107.44.219$118.107.44.219$118.107.44.219$19091$19091$19092$19093$Console$IpDatespecial
                                                                          • API String ID: 1511462596-472669843
                                                                          • Opcode ID: d2ef788e2e82cc87d54291395e4c270defd7d542fac086d2f37d075243d97f86
                                                                          • Instruction ID: fea0547210a0b028259bef755e6fc5767a60fed93ca17e9ef5acdcc5fcfb0dce
                                                                          • Opcode Fuzzy Hash: d2ef788e2e82cc87d54291395e4c270defd7d542fac086d2f37d075243d97f86
                                                                          • Instruction Fuzzy Hash: FAD1C0B0764301AFE320DF68EC89A2AB7F4FBD4B05F014A1CF65592290DB74B945CB62
                                                                          Function 0421BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 0421BC8F
                                                                          • GetDC.USER32(00000000), ref: 0421BC9C
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0421BCA2
                                                                          • GetDC.USER32(00000000), ref: 0421BCAD
                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0421BCBA
                                                                          • GetDeviceCaps.GDI32(00000000,00000076), ref: 0421BCC2
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0421BCD3
                                                                          • GetSystemMetrics.USER32(0000004E), ref: 0421BCF8
                                                                          • GetSystemMetrics.USER32(0000004F), ref: 0421BD26
                                                                          • GetSystemMetrics.USER32(0000004C), ref: 0421BD78
                                                                          • GetSystemMetrics.USER32(0000004D), ref: 0421BD8D
                                                                          • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0421BDA6
                                                                          • SelectObject.GDI32(?,00000000), ref: 0421BDB4
                                                                          • SetStretchBltMode.GDI32(?,00000003), ref: 0421BDC0
                                                                          • GetSystemMetrics.USER32(0000004F), ref: 0421BDCD
                                                                          • GetSystemMetrics.USER32(0000004E), ref: 0421BDE0
                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0421BE07
                                                                          • _memset.LIBCMT ref: 0421BE7A
                                                                          • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0421BE97
                                                                          • _memset.LIBCMT ref: 0421BEAF
                                                                            • Part of subcall function 0421F707: _malloc.LIBCMT ref: 0421F721
                                                                          • DeleteObject.GDI32(?), ref: 0421BF23
                                                                          • DeleteObject.GDI32(?), ref: 0421BF2D
                                                                          • ReleaseDC.USER32(00000000,?), ref: 0421BF39
                                                                          • DeleteObject.GDI32(?), ref: 0421BFDF
                                                                          • DeleteObject.GDI32(?), ref: 0421BFE9
                                                                          • ReleaseDC.USER32(00000000,?), ref: 0421BFF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                          • String ID: ($6$gfff$gfff
                                                                          • API String ID: 3293817703-713438465
                                                                          • Opcode ID: 6ccbff3e4175891effab4c6fc6afdbf9b221db2309d66dfd250381cc55b08209
                                                                          • Instruction ID: 1ba8d20daefe5604839e4b70d70f6364fc490597100941f9f8d035ce4e901067
                                                                          • Opcode Fuzzy Hash: 6ccbff3e4175891effab4c6fc6afdbf9b221db2309d66dfd250381cc55b08209
                                                                          • Instruction Fuzzy Hash: 1CD18DB1E00318EFDB14DFE9E984A9EBBB9FF58300F104529F905AB250D774A945CBA1
                                                                          Function 04216A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 04216A94
                                                                          • wsprintfW.USER32 ref: 04216AA7
                                                                            • Part of subcall function 04216910: GetCurrentProcessId.KERNEL32(0F38DED4,00000000,00000000,75BF73E0,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216938
                                                                            • Part of subcall function 04216910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216947
                                                                            • Part of subcall function 04216910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216960
                                                                            • Part of subcall function 04216910: CloseHandle.KERNEL32(00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 0421696B
                                                                          • _memset.LIBCMT ref: 04216AC2
                                                                          • GetVersionExW.KERNEL32(?), ref: 04216ADB
                                                                          • GetCurrentProcess.KERNEL32(00000008,?), ref: 04216B12
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 04216B19
                                                                          • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04216B3F
                                                                          • GetLastError.KERNEL32 ref: 04216B49
                                                                          • LocalAlloc.KERNEL32(00000040,?), ref: 04216B5D
                                                                          • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 04216B85
                                                                          • GetSidSubAuthorityCount.ADVAPI32 ref: 04216B98
                                                                          • GetSidSubAuthority.ADVAPI32(00000000), ref: 04216BA6
                                                                          • LocalFree.KERNEL32(?), ref: 04216BB5
                                                                          • CloseHandle.KERNEL32(?), ref: 04216BC2
                                                                          • wsprintfW.USER32 ref: 04216C1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                          • String ID: -N/$NO/$None/%s
                                                                          • API String ID: 3036438616-3095023699
                                                                          • Opcode ID: 8a6187d27be5b40d92d8352d9cefb211f5cd62ac9964901d3234d250c4d3344c
                                                                          • Instruction ID: 3d4079f3d4173adbcaaedfeac52dabdf49dafaa8bf6177f56804028360c34cb2
                                                                          • Opcode Fuzzy Hash: 8a6187d27be5b40d92d8352d9cefb211f5cd62ac9964901d3234d250c4d3344c
                                                                          • Instruction Fuzzy Hash: A541A270B10225EBDB249F64ED8CFEE77B8EB19706F004095E609A6150DA78EE94CF71
                                                                          Function 04217490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,04215611,0000035E,000002FA), ref: 0421749C
                                                                          • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 042174B2
                                                                          • swprintf.LIBCMT ref: 042174EF
                                                                            • Part of subcall function 04217410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04217523), ref: 0421743D
                                                                            • Part of subcall function 04217410: GetProcAddress.KERNEL32(00000000), ref: 04217444
                                                                            • Part of subcall function 04217410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04217523), ref: 04217452
                                                                          • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 04217547
                                                                          • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 04217563
                                                                          • RegCloseKey.KERNEL32(000002FA), ref: 04217586
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,04215611,0000035E,000002FA), ref: 04217598
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                          • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                          • API String ID: 2158625971-3190923360
                                                                          • Opcode ID: 879341c0e0a7c8b629364e46986cfebbc1ffa572ca6e24f3ebf3a49030cce0ff
                                                                          • Instruction ID: ba2e3c11598d7fb3e6d36d89b00982453344605eda95f64e9814f6a77b28857d
                                                                          • Opcode Fuzzy Hash: 879341c0e0a7c8b629364e46986cfebbc1ffa572ca6e24f3ebf3a49030cce0ff
                                                                          • Instruction Fuzzy Hash: 9A31D6B2B10209BBE714DBA8DD45EBF7BBCDF98741F000459BA0AA6150E674FA00CB60
                                                                          Function 042180F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04218132
                                                                          • lstrcmpiW.KERNEL32(?,A:\), ref: 04218166
                                                                          • lstrcmpiW.KERNEL32(?,B:\), ref: 04218176
                                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 042181A6
                                                                          • lstrlenW.KERNEL32(?), ref: 042181B7
                                                                          • __wcsnicmp.LIBCMT ref: 042181CE
                                                                          • lstrcpyW.KERNEL32(00000AD4,?), ref: 04218204
                                                                          • lstrcpyW.KERNEL32(?,?), ref: 04218228
                                                                          • lstrcatW.KERNEL32(?,00000000), ref: 04218233
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                          • String ID: A:\$B:\
                                                                          • API String ID: 950920757-1009255891
                                                                          • Opcode ID: be9e5c5c6ac5031f1b0f3187839fbd57c642ce23489f51db62a3ae952d5c7d73
                                                                          • Instruction ID: ddd58c63568ff02d7e7af7278e25c5d40f32d6c1a8da690f70c0be098a5c8df0
                                                                          • Opcode Fuzzy Hash: be9e5c5c6ac5031f1b0f3187839fbd57c642ce23489f51db62a3ae952d5c7d73
                                                                          • Instruction Fuzzy Hash: 3941AB72B11219DBDB10DF64ED84AEEB3B8EF54711F0041D9DA09A3140EB74AE45CBA4
                                                                          Function 04216790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 04215320: InterlockedDecrement.KERNEL32(00000008), ref: 0421536F
                                                                            • Part of subcall function 04215320: SysFreeString.OLEAUT32(00000000), ref: 04215384
                                                                            • Part of subcall function 04215320: SysAllocString.OLEAUT32(04235148), ref: 042153D5
                                                                          • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,04235148,042169A4,04235148,00000000,75BF73E0), ref: 042167F4
                                                                          • GetLastError.KERNEL32 ref: 042167FE
                                                                          • GetProcessHeap.KERNEL32(00000008,?), ref: 04216816
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 0421681D
                                                                          • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0421683F
                                                                          • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 04216871
                                                                          • GetLastError.KERNEL32 ref: 0421687B
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 042168E6
                                                                          • HeapFree.KERNEL32(00000000), ref: 042168ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                          • String ID: NONE_MAPPED
                                                                          • API String ID: 1317816589-2950899194
                                                                          • Opcode ID: 391bedcb14a614aa2f8b08cde6947a605c441277e25ee5f44db3dd80730f721a
                                                                          • Instruction ID: 38bc710db4c1bdbe9ce18684928438655d3b007b5328d6a250177f8a44e1b487
                                                                          • Opcode Fuzzy Hash: 391bedcb14a614aa2f8b08cde6947a605c441277e25ee5f44db3dd80730f721a
                                                                          • Instruction Fuzzy Hash: 364176B1B10219AFD710DF54DD48FAEB3B9EB94701F4045D8E60997140DA746E898F70
                                                                          Function 04216C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 04216C8B
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 04216CAA
                                                                          • _memset.LIBCMT ref: 04216CE1
                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 04216CF4
                                                                          • swprintf.LIBCMT ref: 04216D39
                                                                          • swprintf.LIBCMT ref: 04216D4C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                          • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                          • API String ID: 3202570353-3501811827
                                                                          • Opcode ID: 335fb2d41bc57d0f88d0b586955c7cc47b98b7d5a32153aac0c12145455aea90
                                                                          • Instruction ID: 9fb83f77574998bdc68a88ff121df7df8467cd92f63216a8e1d2664aececc679
                                                                          • Opcode Fuzzy Hash: 335fb2d41bc57d0f88d0b586955c7cc47b98b7d5a32153aac0c12145455aea90
                                                                          • Instruction Fuzzy Hash: 0E318FB2E1021CABDB14CFE8DC45BEEB7B9FB48300F50421DE91AA7241EA746905CB90
                                                                          Function 04216EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDXGIFactory.DXGI(0423579C,?,0F38DED4,74DEDF80,00000000,75BF73E0), ref: 04216F4A
                                                                          • swprintf.LIBCMT ref: 0421711E
                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 042171C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                          • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                          • API String ID: 3803070356-257307503
                                                                          • Opcode ID: 342a8af0f5503bbd9e29e9e405c5306c3dc8f2f178237f7667297904b851c966
                                                                          • Instruction ID: bd89d061107f39fef6ad41e39d6510641684d01f744dbf7cb29783bca42a4398
                                                                          • Opcode Fuzzy Hash: 342a8af0f5503bbd9e29e9e405c5306c3dc8f2f178237f7667297904b851c966
                                                                          • Instruction Fuzzy Hash: 59E16671B102259FDF24CE64CC80BEEB3B5ABD9704F1445E9E90AA7294D770BE818F91
                                                                          Function 6BD593B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeof
                                                                          • String ID: $$AFX_DIALOG_LAYOUT$CONFIG
                                                                          • API String ID: 1601749889-1968922069
                                                                          • Opcode ID: b9e80bc38649ada9ecea5b4813b6361464fb33f3feee0efc41a64497ad24fd63
                                                                          • Instruction ID: eb2311839baf90fb5ff19424e20cf899235e00e7a4fa6fd4f6c1e31c7284b843
                                                                          • Opcode Fuzzy Hash: b9e80bc38649ada9ecea5b4813b6361464fb33f3feee0efc41a64497ad24fd63
                                                                          • Instruction Fuzzy Hash: 734160B5D04309DFCF00EFA8D18969DBBF0BF49311F10496AE888AB314E778A955CB46
                                                                          Function 6BD40020 Relevance: 9.5, APIs: 6, Instructions: 505encryptionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CryptAcquireContextW.ADVAPI32 ref: 6BD400AA
                                                                          • CryptCreateHash.ADVAPI32 ref: 6BD40148
                                                                            • Part of subcall function 6BEA1DA1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BD7CEF4,?,?,?,?,6BD7CEF4,?,6BF1FD2C), ref: 6BEA1E02
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Crypt$AcquireContextCreateExceptionHashRaise
                                                                          • String ID:
                                                                          • API String ID: 333276693-0
                                                                          • Opcode ID: 61459d1d748e232f14e661ed2ceb38379fa4fd75da3a0466b8f94daba4729ada
                                                                          • Instruction ID: 318eebd303a24c558cd816d584ebc7972bf0474f05490a774c1a1f4ca23d255e
                                                                          • Opcode Fuzzy Hash: 61459d1d748e232f14e661ed2ceb38379fa4fd75da3a0466b8f94daba4729ada
                                                                          • Instruction Fuzzy Hash: 80324DB4910318CFCB14EF68D95679DBBB0FF59354F0184A9D809AB350DB74AA88CF92
                                                                          Function 04216050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0421607C
                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04216088
                                                                          • Process32FirstW.KERNEL32(00000000,00000000), ref: 042160B9
                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0421610F
                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 04216116
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                          • String ID:
                                                                          • API String ID: 2526126748-0
                                                                          • Opcode ID: 7feed8b03d2b65a359fd2db49db414c5b545876cc9d15a3618dac1c3da4fa32a
                                                                          • Instruction ID: 4d7e4428ad4c720caa55c804fcbc065459b6848628f2b48e63db1dbc8a058da1
                                                                          • Opcode Fuzzy Hash: 7feed8b03d2b65a359fd2db49db414c5b545876cc9d15a3618dac1c3da4fa32a
                                                                          • Instruction Fuzzy Hash: 1921D631720125ABDB20EF68ED59BEE73B5EB24315F0042D9DD1997290EB36AE41C660
                                                                          Function 04216690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 0421669B
                                                                          • CoCreateInstance.OLE32(042346FC,00000000,00000001,0423471C,?,?,?,?,?,?,?,?,?,?,0421588A), ref: 042166B2
                                                                          • SysFreeString.OLEAUT32(?), ref: 0421674C
                                                                          • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0421588A), ref: 0421677D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                          • String ID: FriendlyName
                                                                          • API String ID: 841178590-3623505368
                                                                          • Opcode ID: db918c144a63cf3a3449bb76995334d03117612434ebb748f36a940c48cdba8f
                                                                          • Instruction ID: 10cb0933ee1633ac00140687a2c800ea246a4b7cf79ab2453ec8309411ef2872
                                                                          • Opcode Fuzzy Hash: db918c144a63cf3a3449bb76995334d03117612434ebb748f36a940c48cdba8f
                                                                          • Instruction Fuzzy Hash: 8C312A7571020AAFDB00DB99DC84EAEB7B9EF89705F148598E605EB250DA71ED02CB60
                                                                          Function 6BD41000 Relevance: 7.9, APIs: 5, Instructions: 405encryptionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD3FD80: CryptStringToBinaryA.CRYPT32 ref: 6BD3FE00
                                                                            • Part of subcall function 6BD3FD80: CryptStringToBinaryA.CRYPT32 ref: 6BD3FEA7
                                                                          • CryptAcquireContextW.ADVAPI32 ref: 6BD41249
                                                                          • CryptImportKey.ADVAPI32 ref: 6BD41317
                                                                          • CryptSetKeyParam.ADVAPI32 ref: 6BD413A2
                                                                          • CryptSetKeyParam.ADVAPI32 ref: 6BD41449
                                                                            • Part of subcall function 6BEA1DA1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BD7CEF4,?,?,?,?,6BD7CEF4,?,6BF1FD2C), ref: 6BEA1E02
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Crypt$BinaryParamString$AcquireContextExceptionImportRaise
                                                                          • String ID:
                                                                          • API String ID: 2873263705-0
                                                                          • Opcode ID: 3c1ccd44c8d9f31bf82af855873aaa8451f3239a03813e011fd5a770d2374199
                                                                          • Instruction ID: 63f8de5ad4c46bb933eeb9baa958721df1b963ed313ae8ee1c83c0d648b41719
                                                                          • Opcode Fuzzy Hash: 3c1ccd44c8d9f31bf82af855873aaa8451f3239a03813e011fd5a770d2374199
                                                                          • Instruction Fuzzy Hash: 22123AB09143188FDB14EF68D95679DBFF0BF49314F0084A9D849AB350DB789A88CF92
                                                                          Function 04212FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 04213043
                                                                          • recv.WS2_32(?,?,00040000,00000000), ref: 04213064
                                                                            • Part of subcall function 0421F91B: __getptd_noexit.LIBCMT ref: 0421F91B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexitrecvselect
                                                                          • String ID:
                                                                          • API String ID: 4248608111-0
                                                                          • Opcode ID: 63f8a1eea1b650b77dbe51b0518883852e7d3446fecddea9e4eaed2e7230293c
                                                                          • Instruction ID: 1b8e47b12c1ad8a497dd39f68b73c4a1bce6363f708983bf576f2e9a71fc9e88
                                                                          • Opcode Fuzzy Hash: 63f8a1eea1b650b77dbe51b0518883852e7d3446fecddea9e4eaed2e7230293c
                                                                          • Instruction Fuzzy Hash: CE21A270710208DFFB20EF69DC88B9A77F5EF24324F1505A5E9145B1A0D6B0BD84CBA1
                                                                          Function 6BD7E392 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 356stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 252 6bd7e392-6bd7e3e8 call 6bd7f17e call 6bd63a38 GetDeviceCaps 257 6bd7e400-6bd7e408 252->257 258 6bd7e3ea-6bd7e3f6 252->258 260 6bd7e41e-6bd7e426 257->260 261 6bd7e40a-6bd7e40e 257->261 258->257 259 6bd7e3f8 258->259 259->257 263 6bd7e43c-6bd7e444 260->263 264 6bd7e428-6bd7e42c 260->264 261->260 262 6bd7e410-6bd7e418 call 6bd62d30 DeleteObject 261->262 262->260 265 6bd7e446-6bd7e44a 263->265 266 6bd7e45a-6bd7e462 263->266 264->263 268 6bd7e42e-6bd7e436 call 6bd62d30 DeleteObject 264->268 265->266 269 6bd7e44c-6bd7e454 call 6bd62d30 DeleteObject 265->269 270 6bd7e464-6bd7e468 266->270 271 6bd7e478-6bd7e480 266->271 268->263 269->266 270->271 275 6bd7e46a-6bd7e472 call 6bd62d30 DeleteObject 270->275 276 6bd7e496-6bd7e49e 271->276 277 6bd7e482-6bd7e486 271->277 275->271 282 6bd7e4b4-6bd7e4bc 276->282 283 6bd7e4a0-6bd7e4a4 276->283 277->276 281 6bd7e488-6bd7e490 call 6bd62d30 DeleteObject 277->281 281->276 285 6bd7e4d2-6bd7e4da 282->285 286 6bd7e4be-6bd7e4c2 282->286 283->282 284 6bd7e4a6-6bd7e4ae call 6bd62d30 DeleteObject 283->284 284->282 291 6bd7e4f0-6bd7e4f8 285->291 292 6bd7e4dc-6bd7e4e0 285->292 286->285 290 6bd7e4c4-6bd7e4cc call 6bd62d30 DeleteObject 286->290 290->285 297 6bd7e50e-6bd7e516 291->297 298 6bd7e4fa-6bd7e4fe 291->298 292->291 296 6bd7e4e2-6bd7e4ea call 6bd62d30 DeleteObject 292->296 296->291 299 6bd7e52c-6bd7e589 call 6bd7ee43 call 6bea40a0 GetTextCharsetInfo 297->299 300 6bd7e518-6bd7e51c 297->300 298->297 303 6bd7e500-6bd7e508 call 6bd62d30 DeleteObject 298->303 314 6bd7e590-6bd7e594 299->314 315 6bd7e58b-6bd7e58e 299->315 300->299 305 6bd7e51e-6bd7e526 call 6bd62d30 DeleteObject 300->305 303->297 305->299 316 6bd7e597-6bd7e5bd lstrcpyW 314->316 317 6bd7e596 314->317 315->316 318 6bd7e5bf-6bd7e5c6 316->318 319 6bd7e62b-6bd7e66c CreateFontIndirectW call 6bd62d04 call 6beb4195 316->319 317->316 318->319 320 6bd7e5c8-6bd7e5e2 EnumFontFamiliesW 318->320 330 6bd7e673-6bd7e779 CreateFontIndirectW call 6bd62d04 call 6bd7ee43 CreateFontIndirectW call 6bd62d04 CreateFontIndirectW call 6bd62d04 CreateFontIndirectW call 6bd62d04 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6bd62d04 GetStockObject 319->330 331 6bd7e66e-6bd7e670 319->331 322 6bd7e5e4-6bd7e5f7 lstrcpyW 320->322 323 6bd7e5f9-6bd7e616 EnumFontFamiliesW 320->323 322->319 325 6bd7e61f 323->325 326 6bd7e618-6bd7e61d 323->326 328 6bd7e624-6bd7e625 lstrcpyW 325->328 326->328 328->319 344 6bd7e77f-6bd7e78e GetObjectW 330->344 345 6bd7e849-6bd7e856 call 6bd7ee84 330->345 331->330 344->345 347 6bd7e794-6bd7e844 lstrcpyW CreateFontIndirectW call 6bd62d04 CreateFontIndirectW call 6bd62d04 GetObjectW CreateFontIndirectW call 6bd62d04 CreateFontIndirectW call 6bd62d04 344->347 350 6bd7e881-6bd7e883 345->350 347->345 353 6bd7e885-6bd7e895 call 6bd5d1f0 350->353 354 6bd7e858-6bd7e85f 350->354 360 6bd7e89a-6bd7e8aa call 6bd63a8d call 6bd7f201 353->360 356 6bd7e861-6bd7e86b call 6bd6a885 354->356 357 6bd7e8ab-6bd7e8b0 call 6bd7733a 354->357 356->350 369 6bd7e86d-6bd7e87d 356->369 369->350
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD7E39C
                                                                            • Part of subcall function 6BD63A38: __EH_prolog3.LIBCMT ref: 6BD63A3F
                                                                            • Part of subcall function 6BD63A38: GetWindowDC.USER32(00000000,00000004,6BD7DFDA,00000000), ref: 6BD63A6B
                                                                          • GetDeviceCaps.GDI32(?,00000058), ref: 6BD7E3BC
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E418
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E436
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E454
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E472
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E490
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E4AE
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E4CC
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E4EA
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E508
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD7E526
                                                                          • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6BD7E55E
                                                                          • lstrcpyW.KERNEL32(?,?), ref: 6BD7E5B3
                                                                          • EnumFontFamiliesW.GDI32(?,00000000,6BD7F03F,Segoe UI), ref: 6BD7E5DA
                                                                          • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6BD7E5ED
                                                                          • EnumFontFamiliesW.GDI32(?,00000000,6BD7F03F,Tahoma), ref: 6BD7E60B
                                                                          • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6BD7E625
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E62F
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E677
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E6B6
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E6E2
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E703
                                                                          • GetSystemMetrics.USER32(00000048), ref: 6BD7E722
                                                                          • lstrcpyW.KERNEL32(?,Marlett), ref: 6BD7E735
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E73F
                                                                          • GetStockObject.GDI32(00000011), ref: 6BD7E76B
                                                                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 6BD7E786
                                                                          • lstrcpyW.KERNEL32(?,Arial), ref: 6BD7E7C7
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E7D1
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E7EA
                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 6BD7E808
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E816
                                                                          • CreateFontIndirectW.GDI32(?), ref: 6BD7E837
                                                                            • Part of subcall function 6BD7EE84: __EH_prolog3_GS.LIBCMT ref: 6BD7EE8B
                                                                            • Part of subcall function 6BD7EE84: GetTextMetricsW.GDI32(?,?), ref: 6BD7EEC0
                                                                            • Part of subcall function 6BD7EE84: GetTextMetricsW.GDI32(?,?), ref: 6BD7EF00
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                                                                          • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma$k
                                                                          • API String ID: 2837096512-4164743291
                                                                          • Opcode ID: e0769106a0ca98702119a6f611813facc16fefe89bf90af92c506f8a11f71f4c
                                                                          • Instruction ID: 84565601630ca6e9ae20ccd633a8539a931f91147ec04057c8b02f1e10fb32c2
                                                                          • Opcode Fuzzy Hash: e0769106a0ca98702119a6f611813facc16fefe89bf90af92c506f8a11f71f4c
                                                                          • Instruction Fuzzy Hash: 81E15D71910349DBDF21EBB0C809BDEBBBCAF05359F0049A9E459AF151EB389649CF60
                                                                          Function 6BD7DF74 Relevance: 64.8, APIs: 43, Instructions: 298COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 373 6bd7df74-6bd7df93 call 6bd7f115 GetSysColor 376 6bd7df95-6bd7df9f GetSysColor 373->376 377 6bd7dfa4 373->377 376->377 378 6bd7dfa1-6bd7dfa2 376->378 379 6bd7dfa6-6bd7dfb6 GetSysColor 377->379 378->379 380 6bd7dfc9 379->380 381 6bd7dfb8-6bd7dfc2 GetSysColor 379->381 383 6bd7dfcb-6bd7e102 call 6bd63a38 GetDeviceCaps GetSysColor * 21 380->383 381->380 382 6bd7dfc4-6bd7dfc7 381->382 382->383 386 6bd7e104-6bd7e10b 383->386 387 6bd7e10d-6bd7e119 GetSysColor 383->387 388 6bd7e11f-6bd7e135 GetSysColorBrush 386->388 387->388 389 6bd7e38c-6bd7e391 call 6bd7733a 388->389 390 6bd7e13b-6bd7e148 GetSysColorBrush 388->390 390->389 391 6bd7e14e-6bd7e15b GetSysColorBrush 390->391 391->389 393 6bd7e161-6bd7e2ac call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreateSolidBrush call 6bd62d04 call 6bd62d5a CreatePen call 6bd62d04 call 6bd62d5a CreatePen call 6bd62d04 call 6bd62d5a CreatePen call 6bd62d04 391->393 435 6bd7e2ae-6bd7e2b2 393->435 436 6bd7e2bb-6bd7e2c2 393->436 435->436 437 6bd7e2b4-6bd7e2b6 call 6bd62d5a 435->437 438 6bd7e2c4-6bd7e326 CreateSolidBrush call 6bd62d04 436->438 439 6bd7e328-6bd7e334 call 6bd7ef42 436->439 437->436 445 6bd7e36f-6bd7e38b call 6bdb1ab9 call 6bd63a8d call 6bd7f1ed 438->445 439->389 446 6bd7e336-6bd7e36a call 6bd62d04 CreatePatternBrush call 6bd62d04 call 6bd5d1f0 439->446 446->445
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7DF7B
                                                                          • GetSysColor.USER32(00000016), ref: 6BD7DF84
                                                                          • GetSysColor.USER32(0000000F), ref: 6BD7DF97
                                                                          • GetSysColor.USER32(00000015), ref: 6BD7DFAE
                                                                          • GetSysColor.USER32(0000000F), ref: 6BD7DFBA
                                                                          • GetDeviceCaps.GDI32(?,0000000C), ref: 6BD7DFE2
                                                                          • GetSysColor.USER32(0000000F), ref: 6BD7DFF0
                                                                          • GetSysColor.USER32(00000010), ref: 6BD7DFFE
                                                                          • GetSysColor.USER32(00000015), ref: 6BD7E00C
                                                                          • GetSysColor.USER32(00000016), ref: 6BD7E01A
                                                                          • GetSysColor.USER32(00000014), ref: 6BD7E028
                                                                          • GetSysColor.USER32(00000012), ref: 6BD7E036
                                                                          • GetSysColor.USER32(00000011), ref: 6BD7E044
                                                                          • GetSysColor.USER32(00000006), ref: 6BD7E04F
                                                                          • GetSysColor.USER32(0000000D), ref: 6BD7E05A
                                                                          • GetSysColor.USER32(0000000E), ref: 6BD7E065
                                                                          • GetSysColor.USER32(00000005), ref: 6BD7E070
                                                                          • GetSysColor.USER32(00000008), ref: 6BD7E07E
                                                                          • GetSysColor.USER32(00000009), ref: 6BD7E089
                                                                          • GetSysColor.USER32(00000007), ref: 6BD7E094
                                                                          • GetSysColor.USER32(00000002), ref: 6BD7E09F
                                                                          • GetSysColor.USER32(00000003), ref: 6BD7E0AA
                                                                          • GetSysColor.USER32(0000001B), ref: 6BD7E0B8
                                                                          • GetSysColor.USER32(0000001C), ref: 6BD7E0C6
                                                                          • GetSysColor.USER32(0000000A), ref: 6BD7E0D4
                                                                          • GetSysColor.USER32(0000000B), ref: 6BD7E0E2
                                                                          • GetSysColor.USER32(00000013), ref: 6BD7E0F0
                                                                          • GetSysColor.USER32(0000001A), ref: 6BD7E119
                                                                          • GetSysColorBrush.USER32(00000010), ref: 6BD7E12A
                                                                          • GetSysColorBrush.USER32(00000014), ref: 6BD7E13D
                                                                          • GetSysColorBrush.USER32(00000005), ref: 6BD7E150
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E171
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E18F
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E1AD
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E1CE
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E1EC
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E20A
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E228
                                                                          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6BD7E24E
                                                                          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6BD7E272
                                                                          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6BD7E296
                                                                          • CreateSolidBrush.GDI32(?), ref: 6BD7E314
                                                                          • CreatePatternBrush.GDI32(00000000), ref: 6BD7E352
                                                                            • Part of subcall function 6BD62D5A: DeleteObject.GDI32(00000000), ref: 6BD62D69
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                                                                          • String ID:
                                                                          • API String ID: 3754413814-0
                                                                          • Opcode ID: b64ba5afda535de3f2ebad0f898a39192aa4beeded00793fb726758c1c8d9b6a
                                                                          • Instruction ID: fe3116883e05f637087f234f7d4486ed890819f857ec04067f57cecc339e90ff
                                                                          • Opcode Fuzzy Hash: b64ba5afda535de3f2ebad0f898a39192aa4beeded00793fb726758c1c8d9b6a
                                                                          • Instruction Fuzzy Hash: 20C1A370A10A12AFDB05AF74C80A79CBBB0BF05715F408525E61ADF2A0DB78D559DFE0
                                                                          Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 634 100054c0-100054d6 635 100054dc-100054e1 634->635 636 1000580e-10005813 634->636 637 10005707-1000575f VirtualAlloc call 1000c880 call 100067ff 635->637 638 100054e7-1000550f RegOpenKeyExW 635->638 655 10005761-100057a1 call 1000c880 RegCreateKeyW 637->655 656 100057dd-100057ec 637->656 640 10005515-10005538 RegQueryValueExW 638->640 641 100055ba-100055bf 638->641 644 1000553a-10005567 call 100067ff call 1000c800 RegQueryValueExW 640->644 645 100055ad-100055b7 RegCloseKey 640->645 643 100055c2-100055c8 641->643 647 100055e8-100055ea 643->647 648 100055ca-100055cd 643->648 669 10005569-100055a8 VirtualAlloc call 1000c880 644->669 670 100055aa 644->670 645->641 653 100055ed-100055ef 647->653 651 100055e4-100055e6 648->651 652 100055cf-100055d7 648->652 651->653 652->647 657 100055d9-100055e2 652->657 658 100055f5-100055fc 653->658 659 100056f8-10005702 653->659 673 100057a3-100057c4 RegDeleteValueW RegSetValueExW 655->673 674 100057ca-100057d5 RegCloseKey call 100072bb 655->674 662 100057ee-1000580b call 1000721b Sleep call 10002d10 656->662 657->643 657->651 663 10005611-100056d4 call 1000c800 * 3 call 100067ff call 1000c880 658->663 664 100055fe-1000560b VirtualFree 658->664 659->662 679 1000580d 662->679 688 100056e6-100056f5 call 1000680a 663->688 689 100056d6-100056e3 663->689 664->663 669->670 670->645 673->674 681 100057da 674->681 679->636 681->656 693 100056e4 call 100060df 689->693 694 100056e4 call 100031ef 689->694 693->688 694->688
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
                                                                          • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
                                                                          • _memset.LIBCMT ref: 10005548
                                                                          • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
                                                                          • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
                                                                          • RegCloseKey.ADVAPI32(?), ref: 100055B1
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 10005605
                                                                          • _memset.LIBCMT ref: 10005669
                                                                          • _memset.LIBCMT ref: 1000568D
                                                                          • _memset.LIBCMT ref: 1000569F
                                                                          • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
                                                                          • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
                                                                          • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
                                                                          • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
                                                                          • RegCloseKey.KERNEL32(?), ref: 100057CE
                                                                          • Sleep.KERNEL32(00000BB8), ref: 100057FE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                          • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                          • API String ID: 354323817-737951744
                                                                          • Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                          • Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
                                                                          • Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                          • Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51
                                                                          Function 04219E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 695 4219e50-4219e85 GdipGetImagePixelFormat 696 4219e87 695->696 697 4219e8a-4219eb1 695->697 696->697 698 4219eb3-4219ec3 697->698 699 4219ec9-4219ecf 697->699 698->699 700 4219ed1-4219ee1 699->700 701 4219eeb-4219f04 GdipGetImageHeight 699->701 700->701 702 4219f06 701->702 703 4219f09-4219f2c GdipGetImageWidth 701->703 702->703 704 4219f31-4219f4e call 4219c30 703->704 705 4219f2e 703->705 708 421a055-421a05a 704->708 709 4219f54-4219f68 704->709 705->704 710 421a2a4-421a2ba call 421f00a 708->710 711 421a0cf-421a0d7 709->711 712 4219f6e-4219f87 GdipGetImagePaletteSize 709->712 716 421a20a-421a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 711->716 717 421a0dd-421a11a GdipBitmapLockBits 711->717 713 4219f89 712->713 714 4219f8c-4219f98 712->714 713->714 721 4219fb2-4219fba 714->721 722 4219f9a-4219fa5 call 4219650 714->722 720 421a281-421a283 716->720 718 421a14a-421a177 717->718 719 421a11c-421a121 717->719 728 421a179-421a18e call 42207f2 718->728 729 421a1bf-421a1de GdipBitmapUnlockBits 718->729 724 421a140-421a145 719->724 725 421a123 719->725 726 421a2a2 720->726 727 421a285 720->727 731 4219fd0-4219fd5 call 4211280 721->731 732 4219fbc-4219fca call 421f673 721->732 722->721 745 4219fa7-4219fb0 call 422c660 722->745 724->710 734 421a12b-421a13e call 421f639 725->734 726->710 736 421a28d-421a2a0 call 421f639 727->736 750 421a200-421a205 call 4211280 728->750 751 421a190-421a197 728->751 729->720 739 421a1e4-421a1e7 729->739 742 4219fda-4219fe5 731->742 732->742 746 4219fcc-4219fce 732->746 734->724 754 421a125 734->754 736->726 757 421a287 736->757 739->720 748 4219fe7-4219fe9 742->748 745->748 746->748 755 421a016-421a030 GdipGetImagePalette 748->755 756 4219feb-4219fed 748->756 750->716 751->750 758 421a1f6-421a1fb call 4211280 751->758 759 421a1ec-421a1f1 call 4211280 751->759 760 421a19e-421a1bd 751->760 754->734 766 421a032-421a038 755->766 767 421a03b-421a040 755->767 764 421a00c-421a011 756->764 765 4219fef 756->765 757->736 758->750 759->758 760->728 760->729 764->710 770 4219ff7-421a00a call 421f639 765->770 766->767 768 421a042-421a048 767->768 769 421a04a-421a050 call 421cca0 767->769 768->769 771 421a05f-421a063 768->771 769->708 770->764 779 4219ff1 770->779 774 421a0a0-421a0c9 call 4219d80 SetDIBColorTable call 421a320 771->774 775 421a065 771->775 774->711 777 421a068-421a098 775->777 777->777 780 421a09a 777->780 779->770 780->774
                                                                          APIs
                                                                          • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04219E7B
                                                                          • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04219EFC
                                                                          • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04219F24
                                                                          • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04219F7F
                                                                          • _malloc.LIBCMT ref: 04219FC0
                                                                            • Part of subcall function 0421F673: __FF_MSGBANNER.LIBCMT ref: 0421F68C
                                                                            • Part of subcall function 0421F673: __NMSG_WRITE.LIBCMT ref: 0421F693
                                                                            • Part of subcall function 0421F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04224500,00000000,00000001,00000000,?,04228DE6,00000018,04236448,0000000C,04228E76), ref: 0421F6B8
                                                                          • _free.LIBCMT ref: 0421A000
                                                                          • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0421A028
                                                                          • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0421A0B7
                                                                          • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0421A112
                                                                          • _free.LIBCMT ref: 0421A134
                                                                          • _memcpy_s.LIBCMT ref: 0421A183
                                                                          • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0421A1D0
                                                                          • GdipCreateBitmapFromScan0.GDIPLUS(?,?,04235A78,00022009,?,00000000,?,00000000), ref: 0421A22C
                                                                          • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0421A24C
                                                                          • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0421A267
                                                                          • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0421A274
                                                                          • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0421A27B
                                                                          • _free.LIBCMT ref: 0421A296
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                          • String ID: &
                                                                          • API String ID: 640422297-3042966939
                                                                          • Opcode ID: f8ff1942416e288e52c9ce4a596e8e9fa69707b9262d41a3048f867aab75902e
                                                                          • Instruction ID: 8ad8a7fc850ead3a95e64af188b7c5978113745082c05084d8c200bd0721fa3f
                                                                          • Opcode Fuzzy Hash: f8ff1942416e288e52c9ce4a596e8e9fa69707b9262d41a3048f867aab75902e
                                                                          • Instruction Fuzzy Hash: CDD16FF1B102199BDB20CF55DC94BAAB3F4EF58304F0085A9E609A7211D774AEC5CFA9
                                                                          Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • ResetEvent.KERNEL32(?), ref: 10002D9B
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
                                                                          • timeGetTime.WINMM ref: 10002DAD
                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
                                                                          • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
                                                                          • gethostbyname.WS2_32(00000000), ref: 10002E4B
                                                                          • htons.WS2_32(?), ref: 10002E6D
                                                                          • connect.WS2_32(?,?,00000010), ref: 10002E8B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                          • String ID: 0u
                                                                          • API String ID: 640718063-3203441087
                                                                          • Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                          • Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
                                                                          • Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                          • Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64
                                                                          Function 04212DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • ResetEvent.KERNEL32(?), ref: 04212DBB
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 04212DC7
                                                                          • timeGetTime.WINMM ref: 04212DCD
                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 04212DFA
                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 04212E26
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04212E32
                                                                          • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 04212E51
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04212E5D
                                                                          • gethostbyname.WS2_32(00000000), ref: 04212E6B
                                                                          • htons.WS2_32(?), ref: 04212E8D
                                                                          • connect.WS2_32(?,?,00000010), ref: 04212EAB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                          • String ID: 0u
                                                                          • API String ID: 640718063-3203441087
                                                                          • Opcode ID: 0b0fdd1eba7f64011ce39708fffd9a20b063de47154d6d38558bc1a8aede5c6e
                                                                          • Instruction ID: f036c369432adbfceda56f4bbda842f1532a322ba2d9a39360b0145a0ff7bc49
                                                                          • Opcode Fuzzy Hash: 0b0fdd1eba7f64011ce39708fffd9a20b063de47154d6d38558bc1a8aede5c6e
                                                                          • Instruction Fuzzy Hash: D2619071B40304AFE720DFA8ED45FAAB7F8FF48B01F104659F656A72D0D6B4A8048B65
                                                                          Function 0421AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 863 421ad10-421ad2b 864 421ad84-421ad8f 863->864 865 421ad2d-421ad5b RegOpenKeyExW 863->865 866 421b845-421b84b call 421ce00 864->866 867 421ad95-421ad9c 864->867 868 421ad79-421ad7e 865->868 869 421ad5d-421ad73 RegQueryValueExW 865->869 873 421b84e-421b854 866->873 870 421afe3-421b09b call 421f707 call 4226770 call 421eff4 call 4227660 call 421f707 call 421cf20 call 421eff4 867->870 871 421adea-421adf1 867->871 868->864 868->873 869->868 921 421b0a1-421b0ee call 4227660 RegCreateKeyW 870->921 922 421b162-421b189 call 421fa29 CloseHandle 870->922 871->873 874 421adf7-421ae29 call 421f707 call 4226770 871->874 886 421ae42-421ae4e 874->886 887 421ae2b-421ae3f wsprintfW 874->887 889 421ae50 886->889 890 421ae9a-421aef1 call 421eff4 call 4227660 call 4212ba0 call 421efff * 2 886->890 887->886 893 421ae54-421ae5f 889->893 896 421ae60-421ae66 893->896 899 421ae86-421ae88 896->899 900 421ae68-421ae6b 896->900 901 421ae8b-421ae8d 899->901 904 421ae82-421ae84 900->904 905 421ae6d-421ae75 900->905 906 421aef4-421af09 901->906 907 421ae8f-421ae98 901->907 904->901 905->899 910 421ae77-421ae80 905->910 913 421af10-421af16 906->913 907->890 907->893 910->896 910->904 914 421af36-421af38 913->914 915 421af18-421af1b 913->915 920 421af3b-421af3d 914->920 918 421af32-421af34 915->918 919 421af1d-421af25 915->919 918->920 919->914 924 421af27-421af30 919->924 925 421af3f-421af41 920->925 926 421afae-421afe0 call 421fa29 CloseHandle call 421efff 920->926 940 421b0f0-421b13f call 421eff4 call 4215a30 RegDeleteValueW RegSetValueExW 921->940 941 421b14a-421b15f RegCloseKey call 421fac9 921->941 924->913 924->918 930 421af43-421af4e call 421efff 925->930 931 421af55-421af5c 925->931 930->931 938 421af70-421af74 931->938 939 421af5e-421af69 call 421fac9 931->939 947 421af85-421afa9 call 421f020 938->947 948 421af76-421af7f call 421efff 938->948 939->938 940->941 959 421b141-421b147 call 421fac9 940->959 941->922 947->890 948->947 959->941
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0421AD53
                                                                          • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0421AD73
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: OpenQueryValue
                                                                          • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                          • API String ID: 4153817207-1338088003
                                                                          • Opcode ID: 7c10f4bfa1ac0b590cb0997c34015f01621f42c08a5ba1d40579ea94e916b1f7
                                                                          • Instruction ID: d172b15a5d8e6531701951d846c8825b26f73bb3d336ec98e6b9c94b0a310dc8
                                                                          • Opcode Fuzzy Hash: 7c10f4bfa1ac0b590cb0997c34015f01621f42c08a5ba1d40579ea94e916b1f7
                                                                          • Instruction Fuzzy Hash: 0BC1E1B2710301ABE710DF24DC45F6B73E8EFA4718F050528E9499B291E7B5F945CBA2
                                                                          Function 04216150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 962 4216150-42161a5 call 4226770 call 422004b 967 4216201-4216228 CoCreateInstance 962->967 968 42161a7-42161ae 962->968 969 4216422-421642f lstrlenW 967->969 970 421622e-4216282 967->970 971 42161b0-42161b2 call 4216050 968->971 972 4216441-4216450 969->972 973 4216431-421643b lstrcatW 969->973 979 4216288-42162a2 970->979 980 421640a-4216418 970->980 978 42161b7-42161b9 971->978 976 4216452-4216457 972->976 977 421645a-421647a call 421f00a 972->977 973->972 976->977 982 42161db-42161ff call 422004b 978->982 983 42161bb-42161d9 lstrcatW * 2 978->983 979->980 989 42162a8-42162b4 979->989 980->969 985 421641a-421641f 980->985 982->967 982->971 983->982 985->969 990 42162c0-4216363 call 4226770 wsprintfW RegOpenKeyExW 989->990 993 42163e9-42163ff 990->993 994 4216369-42163ba call 4226770 RegQueryValueExW 990->994 996 4216402-4216404 993->996 998 42163dc-42163e3 RegCloseKey 994->998 999 42163bc-42163da lstrcatW * 2 994->999 996->980 996->990 998->993 999->998
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0421618B
                                                                          • lstrcatW.KERNEL32(04241F10,0423510C,?,0F38DED4,00000AD4,00000000,75BF73E0), ref: 042161CD
                                                                          • lstrcatW.KERNEL32(04241F10,0423535C,?,0F38DED4,00000AD4,00000000,75BF73E0), ref: 042161D9
                                                                          • CoCreateInstance.OLE32(04232480,00000000,00000017,0423578C,?,?,0F38DED4,00000AD4,00000000,75BF73E0), ref: 04216220
                                                                          • _memset.LIBCMT ref: 042162CE
                                                                          • wsprintfW.USER32 ref: 04216336
                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0421635F
                                                                          • _memset.LIBCMT ref: 04216376
                                                                            • Part of subcall function 04216050: _memset.LIBCMT ref: 0421607C
                                                                            • Part of subcall function 04216050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04216088
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                          • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                          • API String ID: 1221949200-1583895642
                                                                          • Opcode ID: 75d28ae13f3f96a1f5b24227503bff898836e531db95e0e617a905b8a1914501
                                                                          • Instruction ID: ca92e332ebb553adec014c04827ff3b6c4de2c5f097b5e7a22666444316a1681
                                                                          • Opcode Fuzzy Hash: 75d28ae13f3f96a1f5b24227503bff898836e531db95e0e617a905b8a1914501
                                                                          • Instruction Fuzzy Hash: 8B8181F1B10228ABDB24DB54DC84FAEB7B8EB48705F0445C8F609A7251D6B4AE85CF64
                                                                          Function 6BD57EE0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 343networkmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Cleanup$closesocket$AllocStartupVirtualconnectfreeaddrinfogetaddrinforecvsocket
                                                                          • String ID: $@
                                                                          • API String ID: 1138076629-1077428164
                                                                          • Opcode ID: 3098f1d7a794eef77a425b7e47b7d5d2865abb3882c22beabf12fcbf7bbbffc0
                                                                          • Instruction ID: dc42c0a9278407cbb461a52e3aa02793c1cf2e421ccdcc0221093986950ff285
                                                                          • Opcode Fuzzy Hash: 3098f1d7a794eef77a425b7e47b7d5d2865abb3882c22beabf12fcbf7bbbffc0
                                                                          • Instruction Fuzzy Hash: E3F107B5A242148FDB24EF38C98579DBBF1BF4A310F0085E9D8899B351D7359A84CF92
                                                                          Function 04215F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1063 4215f40-4215f7b CreateMutexW GetLastError 1064 4215f9b-4215fa2 1063->1064 1065 4215f7d 1063->1065 1067 4216003-421602d GetModuleHandleW GetConsoleWindow call 421e4f0 1064->1067 1068 4215fa4-4215faa 1064->1068 1066 4215f80-4215f99 Sleep CreateMutexW GetLastError 1065->1066 1066->1064 1066->1066 1074 4216048-421604f call 421e850 1067->1074 1075 421602f-4216045 call 421f00a 1067->1075 1069 4215fb0-4215fe1 call 4226770 lstrlenW call 4216d70 1068->1069 1082 4215ff3-4216001 Sleep 1069->1082 1083 4215fe3-4215ff1 lstrcmpW 1069->1083 1082->1067 1082->1069 1083->1067 1083->1082
                                                                          APIs
                                                                          • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 04215F66
                                                                          • GetLastError.KERNEL32 ref: 04215F6E
                                                                          • Sleep.KERNEL32(000003E8), ref: 04215F85
                                                                          • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 04215F90
                                                                          • GetLastError.KERNEL32 ref: 04215F92
                                                                          • _memset.LIBCMT ref: 04215FB9
                                                                          • lstrlenW.KERNEL32(?), ref: 04215FC6
                                                                          • lstrcmpW.KERNEL32(?,04235328), ref: 04215FED
                                                                          • Sleep.KERNEL32(000003E8), ref: 04215FF8
                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 04216005
                                                                          • GetConsoleWindow.KERNEL32 ref: 0421600F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                          • String ID: 2024.12. 3$key$open
                                                                          • API String ID: 2922109467-4129338558
                                                                          • Opcode ID: afc9107e63e481765bf1a32f28323160a33d56f62948315f5123e827d85b3b7d
                                                                          • Instruction ID: bf3f5fe975784b4356013c924a7bb655eb733270c6dc7d6165d87f140a88bf10
                                                                          • Opcode Fuzzy Hash: afc9107e63e481765bf1a32f28323160a33d56f62948315f5123e827d85b3b7d
                                                                          • Instruction Fuzzy Hash: 7C21E672724305ABE710DB68EC49B5A73F4EBA4716F100819E604971D0DAB4F949CBA3
                                                                          Function 042162B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1084 42162b6-42162bd 1085 42162c0-4216363 call 4226770 wsprintfW RegOpenKeyExW 1084->1085 1088 42163e9-42163ff 1085->1088 1089 4216369-4216376 call 4226770 1085->1089 1091 4216402-4216404 1088->1091 1092 421637b-42163ba RegQueryValueExW 1089->1092 1091->1085 1095 421640a-4216418 1091->1095 1093 42163dc-42163e3 RegCloseKey 1092->1093 1094 42163bc-42163da lstrcatW * 2 1092->1094 1093->1088 1094->1093 1096 4216422-421642f lstrlenW 1095->1096 1097 421641a-421641f 1095->1097 1098 4216441-4216450 1096->1098 1099 4216431-421643b lstrcatW 1096->1099 1097->1096 1100 4216452-4216457 1098->1100 1101 421645a-421647a call 421f00a 1098->1101 1099->1098 1100->1101
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 042162CE
                                                                          • wsprintfW.USER32 ref: 04216336
                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0421635F
                                                                          • _memset.LIBCMT ref: 04216376
                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 042163B2
                                                                          • lstrcatW.KERNEL32(04241F10,?), ref: 042163CE
                                                                          • lstrcatW.KERNEL32(04241F10,0423535C), ref: 042163DA
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 042163E3
                                                                          • lstrlenW.KERNEL32(04241F10,?,0F38DED4,00000AD4,00000000,75BF73E0), ref: 04216427
                                                                          • lstrcatW.KERNEL32(04241F10,042353D4,?,0F38DED4,00000AD4,00000000,75BF73E0), ref: 0421643B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                          • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                          • API String ID: 1671694837-1583895642
                                                                          • Opcode ID: e253b71884ae44ff45f434f9c205761d2defe17bae066ec005c5ef4187f11ca3
                                                                          • Instruction ID: de199866b2c30a61951794b9a366fb53e45a3be835e19db7adf841efd4388473
                                                                          • Opcode Fuzzy Hash: e253b71884ae44ff45f434f9c205761d2defe17bae066ec005c5ef4187f11ca3
                                                                          • Instruction Fuzzy Hash: FB418FF1B10228ABDB24DB94CC54FAEB7B8AB88705F0041C8F749A7191D674AE81CF64
                                                                          Function 6BD52170 Relevance: 20.2, APIs: 5, Strings: 6, Instructions: 969sleepprocessCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD52100: GetModuleFileNameA.KERNEL32 ref: 6BD52133
                                                                            • Part of subcall function 6BD52020: SHGetFolderPathA.SHELL32 ref: 6BD52077
                                                                          • Sleep.KERNEL32 ref: 6BD52698
                                                                            • Part of subcall function 6BD519F0: SetFileAttributesA.KERNEL32 ref: 6BD51AE3
                                                                          • Sleep.KERNEL32 ref: 6BD52CD2
                                                                          • WinExec.KERNEL32 ref: 6BD52EE4
                                                                          • WinExec.KERNEL32 ref: 6BD5314D
                                                                          • Sleep.KERNEL32 ref: 6BD5315F
                                                                            • Part of subcall function 6BD51FE0: SetFileAttributesA.KERNEL32 ref: 6BD5200B
                                                                            • Part of subcall function 6BD520A0: DeleteFileA.KERNEL32 ref: 6BD520B5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: File$Sleep$AttributesExec$DeleteFolderModuleNamePath
                                                                          • String ID: #$L$M$X$cmd.exe /C $cmd.exe /C
                                                                          • API String ID: 3277779747-3173768389
                                                                          • Opcode ID: b8db78f7e530dc5568676f99b80683f68956c0c43a32b806206547859965eab9
                                                                          • Instruction ID: a608ca1a8479149be94274edc5e52950fe70ac2820efea31a4eb0a637c0fb971
                                                                          • Opcode Fuzzy Hash: b8db78f7e530dc5568676f99b80683f68956c0c43a32b806206547859965eab9
                                                                          • Instruction Fuzzy Hash: 64A21B71D002698ECB25DF28DC556DDBBB0AF15318F0042EAC45A6B391EB745B98CFA2
                                                                          Function 0421C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000002,?,0F38DED4,?,00000000,?), ref: 0421C09E
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0421C0AA
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0421C0BF
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0421C0D5
                                                                          • EnterCriticalSection.KERNEL32(0423FB64), ref: 0421C113
                                                                          • LeaveCriticalSection.KERNEL32(0423FB64), ref: 0421C124
                                                                            • Part of subcall function 04219DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04219E04
                                                                            • Part of subcall function 04219DE0: GdipDisposeImage.GDIPLUS(?), ref: 04219E18
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0421C14C
                                                                            • Part of subcall function 0421A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0421A48D
                                                                            • Part of subcall function 0421A460: _free.LIBCMT ref: 0421A503
                                                                          • GetHGlobalFromStream.OLE32(?,?), ref: 0421C16D
                                                                          • GlobalLock.KERNEL32(?), ref: 0421C177
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0421C18F
                                                                            • Part of subcall function 04219BA0: DeleteObject.GDI32(?), ref: 04219BD2
                                                                            • Part of subcall function 04219BA0: EnterCriticalSection.KERNEL32(0423FB64,?,?,?,04219B7B), ref: 04219BE3
                                                                            • Part of subcall function 04219BA0: EnterCriticalSection.KERNEL32(0423FB64,?,?,?,04219B7B), ref: 04219BF8
                                                                            • Part of subcall function 04219BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,04219B7B), ref: 04219C04
                                                                            • Part of subcall function 04219BA0: LeaveCriticalSection.KERNEL32(0423FB64,?,?,?,04219B7B), ref: 04219C15
                                                                            • Part of subcall function 04219BA0: LeaveCriticalSection.KERNEL32(0423FB64,?,?,?,04219B7B), ref: 04219C1C
                                                                          • GlobalSize.KERNEL32(00000000), ref: 0421C1A5
                                                                          • GlobalUnlock.KERNEL32(?), ref: 0421C221
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0421C249
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                          • String ID:
                                                                          • API String ID: 1483550337-0
                                                                          • Opcode ID: cf2fa6c9a35e69e43bb45a438738ad7f6916bf7372a9ab7933c941503e49bd92
                                                                          • Instruction ID: 831b81d90a6120132a86bb7674db210635cdf1b0e7ddcea9f4ccaea7337cacae
                                                                          • Opcode Fuzzy Hash: cf2fa6c9a35e69e43bb45a438738ad7f6916bf7372a9ab7933c941503e49bd92
                                                                          • Instruction Fuzzy Hash: 80615CB5E10218EFDB10EFE9E98899EBBB8FF48714F104169E915A7210DB34AD41CF60
                                                                          Function 04216490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 042164C2
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 042164E2
                                                                          • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 04216524
                                                                          • _memset.LIBCMT ref: 04216560
                                                                          • _memset.LIBCMT ref: 0421658E
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 042165BA
                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 042165C3
                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 042165D5
                                                                          • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 04216625
                                                                          • lstrlenW.KERNEL32(?), ref: 04216635
                                                                          Strings
                                                                          • Software\Tencent\Plugin\VAS, xrefs: 042164D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                          • String ID: Software\Tencent\Plugin\VAS
                                                                          • API String ID: 2921034913-3343197220
                                                                          • Opcode ID: 2dcc3d43e2b7d06554e9aa2523e9bcbaf2ee797ab7cfd7b20f9db1ade5178d53
                                                                          • Instruction ID: c9d6ceb6f8799cae5610b9e2f723126f214cf57a5395826f7eaba68011efbff6
                                                                          • Opcode Fuzzy Hash: 2dcc3d43e2b7d06554e9aa2523e9bcbaf2ee797ab7cfd7b20f9db1ade5178d53
                                                                          • Instruction Fuzzy Hash: 3441A4F2B50219BBDB24DB54DD85FEA73BCDB54704F0041D9E309B7081EA74AA858F64
                                                                          Function 0421A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0421A48D
                                                                          • _malloc.LIBCMT ref: 0421A4D1
                                                                          • _free.LIBCMT ref: 0421A503
                                                                          • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0421A522
                                                                          • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0421A594
                                                                          • GdipDisposeImage.GDIPLUS(00000000), ref: 0421A59F
                                                                          • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0421A5C5
                                                                          • GdipDisposeImage.GDIPLUS(00000000), ref: 0421A5DD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                          • String ID: &
                                                                          • API String ID: 2794124522-3042966939
                                                                          • Opcode ID: a08549a318405ad9400925828649db48558fcd474c7308c86abf2181cce29b7f
                                                                          • Instruction ID: 4e7367bd89148d6b03d5006d0af2fa5ae85aa75c4ea5c76dfb500fafb7409861
                                                                          • Opcode Fuzzy Hash: a08549a318405ad9400925828649db48558fcd474c7308c86abf2181cce29b7f
                                                                          • Instruction Fuzzy Hash: 385151B1F21119AFDB04DFA4D844AEEB7F8EF58344F108119E916A7260E734BD45CBA1
                                                                          Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                          • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                          • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                          • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                          • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                          • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                          • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                          • String ID: IpDates_info$SOFTWARE
                                                                          • API String ID: 864241144-2243437601
                                                                          • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                          • Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
                                                                          • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                          • Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2
                                                                          Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                          • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                          • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                          • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                          • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                          • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                          • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                          • String ID: IpDates_info$SOFTWARE
                                                                          • API String ID: 864241144-2243437601
                                                                          • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                          • Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
                                                                          • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                          • Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761
                                                                          Function 6BD84E9D Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,6BD743D0,?,6BD68F45,?,6BD73890), ref: 6BD84EAE
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,?,?,6BD743D0,?,6BD68F45,?,6BD73890), ref: 6BD84F20
                                                                          • GlobalHandle.KERNEL32(?), ref: 6BD84F2A
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 6BD84F3C
                                                                          • GlobalReAlloc.KERNEL32(?,00000000), ref: 6BD84F57
                                                                          • GlobalLock.KERNEL32(00000000), ref: 6BD84F62
                                                                          • LeaveCriticalSection.KERNEL32(000000FF), ref: 6BD84FAF
                                                                          • GlobalHandle.KERNEL32(?), ref: 6BD84FC3
                                                                          • GlobalLock.KERNEL32(00000000), ref: 6BD84FCE
                                                                          • LeaveCriticalSection.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,6BD743D0,?,6BD68F45,?,6BD73890,92806F5A), ref: 6BD84FDD
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                          • String ID:
                                                                          • API String ID: 2667261700-0
                                                                          • Opcode ID: b0d0e20ccfdca4393a05e710b2325ba5a6cef0c4555e1a90aad394b33b42559c
                                                                          • Instruction ID: 701443a13f3b9ad44426874b5aa5881b0a46b9a5ad394cd2214eb019d5b55d17
                                                                          • Opcode Fuzzy Hash: b0d0e20ccfdca4393a05e710b2325ba5a6cef0c4555e1a90aad394b33b42559c
                                                                          • Instruction Fuzzy Hash: 0341BC71900219FFDB14DF68C889B89BBF8FF01322F0145A9E851DA150EB74EA50DFA0
                                                                          Function 6BD5A507 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200threadsynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD59FE0: GetModuleFileNameA.KERNEL32 ref: 6BD5A03C
                                                                          • CreateThread.KERNEL32 ref: 6BD5A68D
                                                                          • CreateThread.KERNEL32 ref: 6BD5A6C9
                                                                          • WaitForSingleObject.KERNEL32 ref: 6BD5A6F6
                                                                            • Part of subcall function 6BD5A1C0: GetModuleFileNameA.KERNEL32 ref: 6BD5A21C
                                                                            • Part of subcall function 6BD59F60: GetModuleFileNameA.KERNEL32 ref: 6BD59FA8
                                                                            • Part of subcall function 6BD5A3B0: GetModuleHandleA.KERNEL32 ref: 6BD5A3EE
                                                                            • Part of subcall function 6BD593B0: GetModuleHandleA.KERNEL32 ref: 6BD593C8
                                                                            • Part of subcall function 6BD593B0: FindResourceW.KERNEL32 ref: 6BD5942D
                                                                            • Part of subcall function 6BD593B0: LoadResource.KERNEL32 ref: 6BD59455
                                                                            • Part of subcall function 6BD593B0: SizeofResource.KERNEL32 ref: 6BD5946E
                                                                            • Part of subcall function 6BD593B0: LockResource.KERNEL32 ref: 6BD59480
                                                                          • CreateThread.KERNEL32 ref: 6BD5A85E
                                                                            • Part of subcall function 6BD57EE0: WSAStartup.WS2_32 ref: 6BD57F58
                                                                            • Part of subcall function 6BD57EE0: getaddrinfo.WS2_32 ref: 6BD58061
                                                                            • Part of subcall function 6BD57EE0: WSACleanup.WS2_32 ref: 6BD5807A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Module$Resource$CreateFileNameThread$Handle$CleanupFindLoadLockObjectSingleSizeofStartupWaitgetaddrinfo
                                                                          • String ID: IiVi$S$Update.d$dll
                                                                          • API String ID: 815238310-4046086539
                                                                          • Opcode ID: c1806ddb205e98e0771ced81a5779842fbf19dc121c225f4b2538ef7db700770
                                                                          • Instruction ID: 2a2f63ac50f8cb8aa6a9fc1f19a7701a55a0ad3de802d412194d485a53d7b0e4
                                                                          • Opcode Fuzzy Hash: c1806ddb205e98e0771ced81a5779842fbf19dc121c225f4b2538ef7db700770
                                                                          • Instruction Fuzzy Hash: F09159B1900228CFDB04EF64D856B9DBBB0FF11314F008499D45A9F3A1DB799A48CFA2
                                                                          Function 6BEC88BE Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BEC8CC3: CreateFileW.KERNEL32(6BD4A690,00000000,?,6BEC8967,?,?,00000000,?,6BEC8967,6BD4A690,0000000C), ref: 6BEC8CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEC89D2
                                                                          • __dosmaperr.LIBCMT ref: 6BEC89D9
                                                                          • GetFileType.KERNEL32(00000000), ref: 6BEC89E5
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEC89EF
                                                                          • __dosmaperr.LIBCMT ref: 6BEC89F8
                                                                          • CloseHandle.KERNEL32(00000000), ref: 6BEC8A18
                                                                          • CloseHandle.KERNEL32(6BEBF9BC), ref: 6BEC8B65
                                                                          • GetLastError.KERNEL32 ref: 6BEC8B97
                                                                          • __dosmaperr.LIBCMT ref: 6BEC8B9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                          • String ID:
                                                                          • API String ID: 4237864984-0
                                                                          • Opcode ID: 6e57321de34d24d2a456044743580e9720455cdf40424eef6baa5ce533cf7c82
                                                                          • Instruction ID: c64ad7b60636ef0a3155f6e0f92569a812f2261f0e09779ba2773ee01511571f
                                                                          • Opcode Fuzzy Hash: 6e57321de34d24d2a456044743580e9720455cdf40424eef6baa5ce533cf7c82
                                                                          • Instruction Fuzzy Hash: 90A1F732A141549FCF199F78CA52BAE3BA1AF07314F24025DE825AF391D739D816CB92
                                                                          Function 0421CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,042312F8,0F38DED4,00000001,00000000,00000000), ref: 0421CAB1
                                                                          • RegQueryInfoKeyW.ADVAPI32(042312F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0421CAE0
                                                                          • _memset.LIBCMT ref: 0421CB44
                                                                          • _memset.LIBCMT ref: 0421CB53
                                                                          • RegEnumValueW.KERNEL32(042312F8,?,00000000,?,00000000,?,00000000,?), ref: 0421CB72
                                                                            • Part of subcall function 0421F707: _malloc.LIBCMT ref: 0421F721
                                                                            • Part of subcall function 0421F707: std::exception::exception.LIBCMT ref: 0421F756
                                                                            • Part of subcall function 0421F707: std::exception::exception.LIBCMT ref: 0421F770
                                                                            • Part of subcall function 0421F707: __CxxThrowException@8.LIBCMT ref: 0421F781
                                                                          • RegCloseKey.KERNEL32(042312F8,?,?,?,?,?,?,?,?,?,?,?,00000000,042312F8,000000FF), ref: 0421CC83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                          • String ID: Console\0
                                                                          • API String ID: 1348767993-1253790388
                                                                          • Opcode ID: 65b7badc61b39ed2fce1894d2080ace17f784502a3af6187f1b9ae9209246abf
                                                                          • Instruction ID: 9744da36e3c54d694fff938a7e70278db9bace33ac617359138f1f11fbc54364
                                                                          • Opcode Fuzzy Hash: 65b7badc61b39ed2fce1894d2080ace17f784502a3af6187f1b9ae9209246abf
                                                                          • Instruction Fuzzy Hash: 25612AB5A10219AFDB04DFA9D980EAEB7F8FF48314F14416AE915E7350DB74AD01CBA0
                                                                          Function 0421BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0421F707: _malloc.LIBCMT ref: 0421F721
                                                                          • _memset.LIBCMT ref: 0421BB21
                                                                          • GetLastInputInfo.USER32(?), ref: 0421BB37
                                                                          • GetTickCount.KERNEL32 ref: 0421BB3D
                                                                          • wsprintfW.USER32 ref: 0421BB66
                                                                          • GetForegroundWindow.USER32 ref: 0421BB6F
                                                                          • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0421BB83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                          • String ID: %d min
                                                                          • API String ID: 3754759880-1947832151
                                                                          • Opcode ID: 1042b9b1a8dfc6bf5f301cfd244c5909868464a8759784fdd5a1c60c18030218
                                                                          • Instruction ID: 0612fa4b356913aa58186c91d583ee38e684582975eb468923a02d12063ac6ba
                                                                          • Opcode Fuzzy Hash: 1042b9b1a8dfc6bf5f301cfd244c5909868464a8759784fdd5a1c60c18030218
                                                                          • Instruction Fuzzy Hash: B54183B5A10218AFDB10DFA8DC88E9FBBF9EF54700F048155F9099B251D674BA04CBE1
                                                                          Function 6BDE0AE2 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE0AE9
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(6BF38410,?,?,0000007C,?,6BD6F318,00000001), ref: 6BD82F91
                                                                            • Part of subcall function 6BD82F60: InitializeCriticalSection.KERNEL32(00000000,?,6BD6F318,00000001), ref: 6BD82FA7
                                                                            • Part of subcall function 6BD82F60: LeaveCriticalSection.KERNEL32(6BF38410,?,6BD6F318,00000001), ref: 6BD82FB5
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6BD6F318,00000001), ref: 6BD82FC2
                                                                          • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6BDE0B3C
                                                                          • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6BDE0B52
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                                                                          • String ID: DragDelay$DragMinDist$d}k$windows
                                                                          • API String ID: 3965097884-3846839594
                                                                          • Opcode ID: 1800698fe96c2d948677fb578b0c093ac3482401e3e17062281db714c0299b99
                                                                          • Instruction ID: ec5cadb5e0e214e13231c9ed60e7c15d4a6256874c450b5d1f5d39c90ebef88b
                                                                          • Opcode Fuzzy Hash: 1800698fe96c2d948677fb578b0c093ac3482401e3e17062281db714c0299b99
                                                                          • Instruction Fuzzy Hash: 1B019AB08517409FDBB0EF39854271A7AF0BB09714F50482EE04ACB692DB7CA205CB65
                                                                          Function 04216910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(0F38DED4,00000000,00000000,75BF73E0,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216938
                                                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216947
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 04216960
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,042310DB,000000FF,?,04216AB3,00000000), ref: 0421696B
                                                                          • SysStringLen.OLEAUT32(00000000), ref: 042169BE
                                                                          • SysStringLen.OLEAUT32(00000000), ref: 042169CC
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,042310DB,000000FF), ref: 04216A2E
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,042310DB,000000FF), ref: 04216A34
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                          • String ID:
                                                                          • API String ID: 429299433-0
                                                                          • Opcode ID: 13f41141a6c8fda1c04098faed11de1d43425117773aab368b0b7601559dd0b1
                                                                          • Instruction ID: 6fa2e4eb274118c6349ca7b34b39d72050eb24a87636e300ee11f9191649e7e0
                                                                          • Opcode Fuzzy Hash: 13f41141a6c8fda1c04098faed11de1d43425117773aab368b0b7601559dd0b1
                                                                          • Instruction Fuzzy Hash: CF41E2B2B101299BDB10DFA8DC84AAEB7F8EB54310F10466AE915E7250D7757900CBA0
                                                                          Function 04216D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 04216DD9
                                                                          • RegOpenKeyExW.KERNEL32(80000001,04235164,00000000,00020019,75BF73E0), ref: 04216DFC
                                                                          • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 04216E4A
                                                                          • lstrcmpW.KERNEL32(?,04235148), ref: 04216E60
                                                                          • lstrcpyW.KERNEL32(042156EA,?), ref: 04216E72
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                          • String ID: GROUP
                                                                          • API String ID: 2102619503-2593425013
                                                                          • Opcode ID: 63cb23fecf6edc5e71ef37cd188d9448da15eb66e21af3021c3223109d348396
                                                                          • Instruction ID: f9599aa997ed7361e15909628a50b10d6ac2289a18dc28f8a34542b8345c8254
                                                                          • Opcode Fuzzy Hash: 63cb23fecf6edc5e71ef37cd188d9448da15eb66e21af3021c3223109d348396
                                                                          • Instruction Fuzzy Hash: 23318471B10319BBDB20DF94ED8DF9EB7B8EB08714F104299E519A7190DB74AA84CF60
                                                                          Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 10007240
                                                                          • __calloc_crt.LIBCMT ref: 1000724C
                                                                          • __getptd.LIBCMT ref: 10007259
                                                                          • CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
                                                                          • _free.LIBCMT ref: 100072A3
                                                                          • __dosmaperr.LIBCMT ref: 100072AE
                                                                            • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 155776804-0
                                                                          • Opcode ID: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
                                                                          • Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
                                                                          • Opcode Fuzzy Hash: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
                                                                          • Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0
                                                                          Function 0421FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 0421FA4E
                                                                          • __calloc_crt.LIBCMT ref: 0421FA5A
                                                                          • __getptd.LIBCMT ref: 0421FA67
                                                                          • CreateThread.KERNEL32(?,?,0421F9C4,00000000,?,?), ref: 0421FA9E
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0421FAA8
                                                                          • _free.LIBCMT ref: 0421FAB1
                                                                          • __dosmaperr.LIBCMT ref: 0421FABC
                                                                            • Part of subcall function 0421F91B: __getptd_noexit.LIBCMT ref: 0421F91B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                          • String ID:
                                                                          • API String ID: 155776804-0
                                                                          • Opcode ID: 8d1e2a30e7b41d530cab1ce70409344a88544cd1723580339964ce87621d988c
                                                                          • Instruction ID: 3168add007a5c9569f89a37cf2f2ac5e4b4a9ea7fdfaabf8461d312bb37fcc06
                                                                          • Opcode Fuzzy Hash: 8d1e2a30e7b41d530cab1ce70409344a88544cd1723580339964ce87621d988c
                                                                          • Instruction Fuzzy Hash: EF11C23232471BBFE710BFA5AE4099B37D8DF146787120026F92487060DB79F8018A64
                                                                          Function 04217410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04217523), ref: 0421743D
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 04217444
                                                                          • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04217523), ref: 04217452
                                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04217523), ref: 0421745A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                          • API String ID: 3433367815-192647395
                                                                          • Opcode ID: 4babaad36399abcb55eb36574fd7a9ffaf00dc3e7f092ce372fc72bf14533922
                                                                          • Instruction ID: 563d920e4a44e489dccad35e848c33388fbc5ac3a59c281c61e7723272fa9221
                                                                          • Opcode Fuzzy Hash: 4babaad36399abcb55eb36574fd7a9ffaf00dc3e7f092ce372fc72bf14533922
                                                                          • Instruction Fuzzy Hash: BD01ECB0E102099FCF50DFB8A9446AEBBF5EB98301F5045A9D549E3240E679AE40CF61
                                                                          Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 100071BC
                                                                            • Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
                                                                            • Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
                                                                            • Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E
                                                                          • ___fls_getvalue@4.LIBCMT ref: 100071C7
                                                                            • Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742
                                                                          • ___fls_setvalue@8.LIBCMT ref: 100071DA
                                                                            • Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
                                                                          • ExitThread.KERNEL32 ref: 100071EA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 100071F0
                                                                          • __freefls@4.LIBCMT ref: 10007210
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 2383549826-0
                                                                          • Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                          • Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
                                                                          • Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                          • Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790
                                                                          Function 0421F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___set_flsgetvalue.LIBCMT ref: 0421F9CA
                                                                            • Part of subcall function 04223CA0: TlsGetValue.KERNEL32(00000000,04223DF9,?,04224500,00000000,00000001,00000000,?,04228DE6,00000018,04236448,0000000C,04228E76,00000000,00000000), ref: 04223CA9
                                                                            • Part of subcall function 04223CA0: DecodePointer.KERNEL32(?,04224500,00000000,00000001,00000000,?,04228DE6,00000018,04236448,0000000C,04228E76,00000000,00000000,?,04223F06,0000000D), ref: 04223CBB
                                                                            • Part of subcall function 04223CA0: TlsSetValue.KERNEL32(00000000,?,04224500,00000000,00000001,00000000,?,04228DE6,00000018,04236448,0000000C,04228E76,00000000,00000000,?,04223F06), ref: 04223CCA
                                                                          • ___fls_getvalue@4.LIBCMT ref: 0421F9D5
                                                                            • Part of subcall function 04223C80: TlsGetValue.KERNEL32(?,?,0421F9DA,00000000), ref: 04223C8E
                                                                          • ___fls_setvalue@8.LIBCMT ref: 0421F9E8
                                                                            • Part of subcall function 04223CD4: DecodePointer.KERNEL32(?,?,?,0421F9ED,00000000,?,00000000), ref: 04223CE5
                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 0421F9F1
                                                                          • ExitThread.KERNEL32 ref: 0421F9F8
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0421F9FE
                                                                          • __freefls@4.LIBCMT ref: 0421FA1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                          • String ID:
                                                                          • API String ID: 2383549826-0
                                                                          • Opcode ID: 62d2502ac11712fdcba831edfe16da4cdb95cf0b36a3e5f08deeef3429d9e267
                                                                          • Instruction ID: cc45633b667612c5e8de41cb6c03a0d7f5c8b8243e5ae3229c41cfdf68192cbd
                                                                          • Opcode Fuzzy Hash: 62d2502ac11712fdcba831edfe16da4cdb95cf0b36a3e5f08deeef3429d9e267
                                                                          • Instruction Fuzzy Hash: B3F09674720311BBD708FF74DB0881E7BE8AF482493218558ED0587211DA3CF842C7A1
                                                                          Function 6BEC2622 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10a4d32d073df4dc6108cf40ea4b945a96257ae1976a7aa1a839d7d3b93ad550
                                                                          • Instruction ID: 823327b794499aa56f2730353e0d116aa3f84c0136fd5bccebdce485eceb2c43
                                                                          • Opcode Fuzzy Hash: 10a4d32d073df4dc6108cf40ea4b945a96257ae1976a7aa1a839d7d3b93ad550
                                                                          • Instruction Fuzzy Hash: C4B1F471E04249ABDF01CFA9C981BAE7BB1BF16318F305198D5249B391C778D951CBA2
                                                                          Function 6BD59A80 Relevance: 9.2, APIs: 6, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32 ref: 6BD59B2B
                                                                          • SHGetFolderPathA.SHELL32 ref: 6BD59B74
                                                                          • GetFileAttributesA.KERNEL32 ref: 6BD59C6F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile$FolderPath
                                                                          • String ID:
                                                                          • API String ID: 1382956649-0
                                                                          • Opcode ID: 35f7d24a95ade1cf2ba311009d66405d08432be4ea65af48119bba433a778c45
                                                                          • Instruction ID: 3cc765b88fe59c982bc535d239f002538d78b41f5d39cc17d99e6abbe9d05ab1
                                                                          • Opcode Fuzzy Hash: 35f7d24a95ade1cf2ba311009d66405d08432be4ea65af48119bba433a778c45
                                                                          • Instruction Fuzzy Hash: AAB12BB1900314CFCB14EF28C85579DBBB0FF4A314F0085AAD4599B3A1DB799A88CF92
                                                                          Function 6BD59550 Relevance: 9.1, APIs: 6, Instructions: 130processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
                                                                          • String ID:
                                                                          • API String ID: 4013288513-0
                                                                          • Opcode ID: f30f989e123953872c564181eec9703d1fd4042e9950e7214e909c5bef31a15b
                                                                          • Instruction ID: 2516feb74dd01460995d4ccde5ddec073e456833fb1dbfd6de7d6a44ec98fb95
                                                                          • Opcode Fuzzy Hash: f30f989e123953872c564181eec9703d1fd4042e9950e7214e909c5bef31a15b
                                                                          • Instruction Fuzzy Hash: 8B5128B4D082459FCB00EFB8D5557AEBFF0AF49314F10856DE894AB381D7389958CBA2
                                                                          Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
                                                                          • Sleep.KERNEL32(00000258), ref: 100032FE
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
                                                                          • Sleep.KERNEL32(0000012C), ref: 1000332B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 3137405945-0
                                                                          • Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                          • Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
                                                                          • Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                          • Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0
                                                                          Function 0421F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 0421F721
                                                                            • Part of subcall function 0421F673: __FF_MSGBANNER.LIBCMT ref: 0421F68C
                                                                            • Part of subcall function 0421F673: __NMSG_WRITE.LIBCMT ref: 0421F693
                                                                            • Part of subcall function 0421F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04224500,00000000,00000001,00000000,?,04228DE6,00000018,04236448,0000000C,04228E76), ref: 0421F6B8
                                                                          • std::exception::exception.LIBCMT ref: 0421F756
                                                                          • std::exception::exception.LIBCMT ref: 0421F770
                                                                          • __CxxThrowException@8.LIBCMT ref: 0421F781
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                          • String ID: bad allocation
                                                                          • API String ID: 615853336-2104205924
                                                                          • Opcode ID: f121c9f1e1bfd2d12259d2ed928c805b417896bcab3e52fe68676ceba8a2a3c9
                                                                          • Instruction ID: 5f7b0e21bee63d82363272bc6c9903265984eb6bfd6940796bfac17fcf1048fa
                                                                          • Opcode Fuzzy Hash: f121c9f1e1bfd2d12259d2ed928c805b417896bcab3e52fe68676ceba8a2a3c9
                                                                          • Instruction Fuzzy Hash: 03F0A9B1F30319ABEF14EB58FF25A6E37F9AB54659F120095D420D60B0DB74FA058B90
                                                                          Function 6BD44AA8 Relevance: 7.8, APIs: 5, Instructions: 310fileprocessCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile$CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 3066332969-0
                                                                          • Opcode ID: 64470c6a31773d9c17ff0b151c4f3313d55d624d8253ba1ec3f5bd8876a368d4
                                                                          • Instruction ID: adc2233006c80e91daa9b31af95f5fc88b026cb4e1020416d978fdc9222ef69d
                                                                          • Opcode Fuzzy Hash: 64470c6a31773d9c17ff0b151c4f3313d55d624d8253ba1ec3f5bd8876a368d4
                                                                          • Instruction Fuzzy Hash: 69E117B0505B00CFD354EF34D599796BBE0BF46328F41892DD5AB8B260DF39AA48CB52
                                                                          Function 00021C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCommandLineW.KERNEL32(00000001), ref: 00021C61
                                                                          • CommandLineToArgvW.SHELL32(00000000), ref: 00021C68
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00020000), ref: 00021CD3
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00021CF3
                                                                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00020000,00000000,00000000,00000000,00022778,00000014), ref: 00021D25
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
                                                                          • String ID:
                                                                          • API String ID: 4060259846-0
                                                                          • Opcode ID: a0286ab1ddf62902ccc1785eaf32c0fcf33a46d095cc89beeae2652f73cfa1c5
                                                                          • Instruction ID: 3d0a577c08509f4658f2b430a077fa571f5c16f0c350a2ccb7658f16d7ca1b2c
                                                                          • Opcode Fuzzy Hash: a0286ab1ddf62902ccc1785eaf32c0fcf33a46d095cc89beeae2652f73cfa1c5
                                                                          • Instruction Fuzzy Hash: 0131F370604315ABE720EF68AC85B9B77E8EF94710F20092CF959D72C1D734ED088B62
                                                                          Function 6BEA1B48 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                          • String ID:
                                                                          • API String ID: 3136044242-0
                                                                          • Opcode ID: edbdec7e4d53d34b83780151e41acd756a25aa0de6189c59655c0d47bc83158a
                                                                          • Instruction ID: 4e6e479bbb4dbdd215e39199c52f9b30915562ec51fbacbb0c06318863a9f767
                                                                          • Opcode Fuzzy Hash: edbdec7e4d53d34b83780151e41acd756a25aa0de6189c59655c0d47bc83158a
                                                                          • Instruction Fuzzy Hash: 3C21A671E05639EFDB218EE5CD4196F3B6DEB82F98B254059F8146F250E33C8D218BA1
                                                                          Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
                                                                          • CancelIo.KERNEL32(?), ref: 10002D46
                                                                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
                                                                          • closesocket.WS2_32(?), ref: 10002D59
                                                                          • SetEvent.KERNEL32(00000001), ref: 10002D63
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                          • String ID:
                                                                          • API String ID: 1486965892-0
                                                                          • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                          • Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
                                                                          • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                          • Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0
                                                                          Function 6BD7A271 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(Shell32,00000000,?,6BD5CADA), ref: 6BD7A27C
                                                                          • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6BD7A28D
                                                                          Strings
                                                                          • SetCurrentProcessExplicitAppUserModelID, xrefs: 6BD7A287
                                                                          • Shell32, xrefs: 6BD7A275
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                                                                          • API String ID: 1646373207-2658420654
                                                                          • Opcode ID: b4a8b9389c2317d4b2d9cfb5f6f6572d706a502faf5beb5a3f806aa96dcc10ee
                                                                          • Instruction ID: 4559bc4ce922ad529ad42c139b6a92920967d880722240e1d14b2ebdcdf027f8
                                                                          • Opcode Fuzzy Hash: b4a8b9389c2317d4b2d9cfb5f6f6572d706a502faf5beb5a3f806aa96dcc10ee
                                                                          • Instruction Fuzzy Hash: 2AE02672610619B786242B65C81CD5B7F18EA81661300083AFC04CB210CF7ADC00C6F0
                                                                          Function 6BD69085 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD6908F
                                                                            • Part of subcall function 6BD77EA0: __EH_prolog3.LIBCMT ref: 6BD77EA7
                                                                          • GetCurrentThread.KERNEL32 ref: 6BD690EE
                                                                          • GetCurrentThreadId.KERNEL32 ref: 6BD690F7
                                                                          • GetVersionExW.KERNEL32 ref: 6BD69193
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$H_prolog3H_prolog3_Version
                                                                          • String ID:
                                                                          • API String ID: 786120064-0
                                                                          • Opcode ID: c38028b0f8302946073765c281d7af471b71be75ef6d00cb1ea274480b077f0e
                                                                          • Instruction ID: 2c59d11fab2bda27253d02685c043fb1ef9450d88689bdad1bfabb5a9843de65
                                                                          • Opcode Fuzzy Hash: c38028b0f8302946073765c281d7af471b71be75ef6d00cb1ea274480b077f0e
                                                                          • Instruction Fuzzy Hash: D751F2B0900B04CFD7209F2A858478AFBF1BF49310F5049AED5AE8B711E778A945CF50
                                                                          Function 6BD7DEB7 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6BD7DF14
                                                                          • VerSetConditionMask.KERNEL32(00000000), ref: 6BD7DF1C
                                                                          • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6BD7DF2D
                                                                          • GetSystemMetrics.USER32(00001000), ref: 6BD7DF3E
                                                                            • Part of subcall function 6BD7DF74: __EH_prolog3.LIBCMT ref: 6BD7DF7B
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000016), ref: 6BD7DF84
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000F), ref: 6BD7DF97
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000015), ref: 6BD7DFAE
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000F), ref: 6BD7DFBA
                                                                            • Part of subcall function 6BD7DF74: GetDeviceCaps.GDI32(?,0000000C), ref: 6BD7DFE2
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000F), ref: 6BD7DFF0
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000010), ref: 6BD7DFFE
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000015), ref: 6BD7E00C
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000016), ref: 6BD7E01A
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000014), ref: 6BD7E028
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000012), ref: 6BD7E036
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000011), ref: 6BD7E044
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000006), ref: 6BD7E04F
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000D), ref: 6BD7E05A
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000E), ref: 6BD7E065
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000005), ref: 6BD7E070
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000008), ref: 6BD7E07E
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000009), ref: 6BD7E089
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000007), ref: 6BD7E094
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000002), ref: 6BD7E09F
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(00000003), ref: 6BD7E0AA
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000001B), ref: 6BD7E0B8
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000001C), ref: 6BD7E0C6
                                                                            • Part of subcall function 6BD7DF74: GetSysColor.USER32(0000000A), ref: 6BD7E0D4
                                                                            • Part of subcall function 6BD7E392: __EH_prolog3_GS.LIBCMT ref: 6BD7E39C
                                                                            • Part of subcall function 6BD7E392: GetDeviceCaps.GDI32(?,00000058), ref: 6BD7E3BC
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E418
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E436
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E454
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E472
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E490
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E4AE
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E4CC
                                                                            • Part of subcall function 6BD7E392: DeleteObject.GDI32(00000000), ref: 6BD7E4EA
                                                                            • Part of subcall function 6BD7E8B1: GetSystemMetrics.USER32(00000031), ref: 6BD7E8BF
                                                                            • Part of subcall function 6BD7E8B1: GetSystemMetrics.USER32(00000032), ref: 6BD7E8CD
                                                                            • Part of subcall function 6BD7E8B1: SetRectEmpty.USER32(?), ref: 6BD7E8E0
                                                                            • Part of subcall function 6BD7E8B1: EnumDisplayMonitors.USER32(00000000,00000000,6BD7F089,?,?,?), ref: 6BD7E8F0
                                                                            • Part of subcall function 6BD7E8B1: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6BD7E8FF
                                                                            • Part of subcall function 6BD7E8B1: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6BD7E92C
                                                                            • Part of subcall function 6BD7E8B1: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6BD7E940
                                                                            • Part of subcall function 6BD7E8B1: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6BD7E966
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                                                                          • String ID:
                                                                          • API String ID: 2442922003-0
                                                                          • Opcode ID: de181eeb6ae7485c7e078108e54bbf92979f8a6e59e64e22d686985923e9675f
                                                                          • Instruction ID: 7a36857e5151a76b9acf6f57fa916c1638cacffc93e50414a9c29e8b5fdaa21b
                                                                          • Opcode Fuzzy Hash: de181eeb6ae7485c7e078108e54bbf92979f8a6e59e64e22d686985923e9675f
                                                                          • Instruction Fuzzy Hash: C21177B0A50318ABDB25AF71DC56FEAB7BCEB89714F40446DF1459B181CBB44A448BE0
                                                                          Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 10006F31
                                                                            • Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
                                                                            • Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
                                                                            • Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8
                                                                          • std::exception::exception.LIBCMT ref: 10006F66
                                                                          • std::exception::exception.LIBCMT ref: 10006F80
                                                                          • __CxxThrowException@8.LIBCMT ref: 10006F91
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                          • String ID:
                                                                          • API String ID: 615853336-0
                                                                          • Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                          • Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
                                                                          • Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                          • Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740
                                                                          Function 6BD519F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32 ref: 6BD51AE3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID: "$@
                                                                          • API String ID: 3188754299-1136454570
                                                                          • Opcode ID: c826eb35d18f0d698fb44479f1e23aee49064793748973c5f341329d24cc57dd
                                                                          • Instruction ID: 95b1d789eb54cff5d0325a7428b37d4ac94803d4ef88e6457a8c14999256fb58
                                                                          • Opcode Fuzzy Hash: c826eb35d18f0d698fb44479f1e23aee49064793748973c5f341329d24cc57dd
                                                                          • Instruction Fuzzy Hash: 3D316F71500B04DFC720DF78D545B86BBF0FF05768F008A2DD49A8B691DB38AA58CBA5
                                                                          Function 04213160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0421316B
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 04213183
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0421322F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$ExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 4033114805-0
                                                                          • Opcode ID: 2c94fe0c1f85138343f70a9bcdca043269d4f2ad2efc50adc7aa91dda90dfc0c
                                                                          • Instruction ID: 72368e282fae4bbfba8199677c698901fdaf9f7551e8856ae976d172fba54904
                                                                          • Opcode Fuzzy Hash: 2c94fe0c1f85138343f70a9bcdca043269d4f2ad2efc50adc7aa91dda90dfc0c
                                                                          • Instruction Fuzzy Hash: E4318870320602AFE718DF69C984A66B3E6FF58309B10C52CE95A8B625E731FC41CB90
                                                                          Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __floor_pentium4.LIBCMT ref: 100011E9
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree__floor_pentium4
                                                                          • String ID:
                                                                          • API String ID: 2605973128-0
                                                                          • Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                          • Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
                                                                          • Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                          • Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790
                                                                          Function 042111B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __floor_pentium4.LIBCMT ref: 042111E9
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04211226
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04211255
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree__floor_pentium4
                                                                          • String ID:
                                                                          • API String ID: 2605973128-0
                                                                          • Opcode ID: 6c773f551fc871c649a8ae3c13550db7421fe9495124aaa862f04aa94481b521
                                                                          • Instruction ID: 09fa8169cd4b44ce363ce80eff04c8e5260fcece4f78b7128896d2867ac21205
                                                                          • Opcode Fuzzy Hash: 6c773f551fc871c649a8ae3c13550db7421fe9495124aaa862f04aa94481b521
                                                                          • Instruction Fuzzy Hash: D121CF70B10309AFDB109FADE845B6EFBF8EF44705F0089A9E949E3650EA34B8508710
                                                                          Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __floor_pentium4.LIBCMT ref: 1000112F
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree__floor_pentium4
                                                                          • String ID:
                                                                          • API String ID: 2605973128-0
                                                                          • Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                          • Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
                                                                          • Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                          • Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750
                                                                          Function 04211100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __floor_pentium4.LIBCMT ref: 0421112F
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0421115F
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04211192
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree__floor_pentium4
                                                                          • String ID:
                                                                          • API String ID: 2605973128-0
                                                                          • Opcode ID: 4613b305d1c23c152a9fc03d40dba6744665905e559babe83ceddea8905639e8
                                                                          • Instruction ID: 01e1acce672c27422922931a493ec76372ef77534249cd91c12c61ca2b1faaf3
                                                                          • Opcode Fuzzy Hash: 4613b305d1c23c152a9fc03d40dba6744665905e559babe83ceddea8905639e8
                                                                          • Instruction Fuzzy Hash: C311D370B10309AFDB109FA9DC86B6EFBF8FF04705F0084A9ED59E3250E674A9108710
                                                                          Function 04219DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04219E04
                                                                          • GdipDisposeImage.GDIPLUS(?), ref: 04219E18
                                                                          • GdipDisposeImage.GDIPLUS(?), ref: 04219E3B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                          • String ID:
                                                                          • API String ID: 800915452-0
                                                                          • Opcode ID: e8f647c6c433ef54049ac2b1fe181c8782e6e9d0188527459c45bc79f1e050b7
                                                                          • Instruction ID: d69689678dea6ef1fb82343d3fe4705b3044dc8c7c7e248eada29c1a47c10ab2
                                                                          • Opcode Fuzzy Hash: e8f647c6c433ef54049ac2b1fe181c8782e6e9d0188527459c45bc79f1e050b7
                                                                          • Instruction Fuzzy Hash: BBF0A4B1A1022DE7CB10EF98E8588AFF7B8EB54715B00419AFC05A7350D634AF45CBE1
                                                                          Function 04219AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(0423FB64), ref: 04219ADC
                                                                          • GdiplusStartup.GDIPLUS(0423FB60,?,?), ref: 04219B15
                                                                          • LeaveCriticalSection.KERNEL32(0423FB64), ref: 04219B26
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                          • String ID:
                                                                          • API String ID: 389129658-0
                                                                          • Opcode ID: 6f0901599a90fece6f8c4f3f46c7f71bb2cd892c71bffc6cbc3a386fa9406f7b
                                                                          • Instruction ID: fff15fb95a31dd82a36be2fbeb9a1a2a93aa47cb6d413a18aa5c91eb393d337a
                                                                          • Opcode Fuzzy Hash: 6f0901599a90fece6f8c4f3f46c7f71bb2cd892c71bffc6cbc3a386fa9406f7b
                                                                          • Instruction Fuzzy Hash: 1AF062F5F512099BDB00DFD9F96ABAAB7F8F708306F4001D9D50452140D7766548CBA1
                                                                          Function 6BEC2E89 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNEL32(6BEB5E01,?,6BEB5E01,00000007), ref: 6BEC2E91
                                                                          • GetLastError.KERNEL32(?,6BEB5E01,00000007), ref: 6BEC2E9B
                                                                          • __dosmaperr.LIBCMT ref: 6BEC2EA2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteErrorFileLast__dosmaperr
                                                                          • String ID:
                                                                          • API String ID: 1545401867-0
                                                                          • Opcode ID: 7413f56fe1ea0c44c5ca3d48eb7f485cd72ffab69df1b07bb05cc4412759ce81
                                                                          • Instruction ID: 4e7b5f831c88fd9870733cb88bb13f595d834505e9032151ff6d277aaf3cae42
                                                                          • Opcode Fuzzy Hash: 7413f56fe1ea0c44c5ca3d48eb7f485cd72ffab69df1b07bb05cc4412759ce81
                                                                          • Instruction Fuzzy Hash: D6D01233158108AB8F011AF5AC0A91B3F9CEA813B87651A69F52DC95B0DF76C4649561
                                                                          Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: 118.107.44.219$19091
                                                                          • API String ID: 3472027048-838246116
                                                                          • Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                          • Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
                                                                          • Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                          • Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550
                                                                          Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd_noexit.LIBCMT ref: 1000715B
                                                                            • Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
                                                                            • Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
                                                                            • Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
                                                                            • Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
                                                                            • Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
                                                                            • Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904
                                                                          • __freeptd.LIBCMT ref: 10007165
                                                                            • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
                                                                            • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
                                                                            • Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
                                                                            • Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
                                                                            • Part of subcall function 10009A58: TlsSetValue.KERNEL32(00000028,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE
                                                                          • ExitThread.KERNEL32 ref: 1000716E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 4224061863-0
                                                                          • Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                          • Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
                                                                          • Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                          • Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291
                                                                          Function 6BD7DB5B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7DB62
                                                                            • Part of subcall function 6BD7DEB7: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6BD7DF14
                                                                            • Part of subcall function 6BD7DEB7: VerSetConditionMask.KERNEL32(00000000), ref: 6BD7DF1C
                                                                            • Part of subcall function 6BD7DEB7: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6BD7DF2D
                                                                            • Part of subcall function 6BD7DEB7: GetSystemMetrics.USER32(00001000), ref: 6BD7DF3E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                                                                          • String ID: k
                                                                          • API String ID: 2710481357-3262892333
                                                                          • Opcode ID: 1beaeeef9c7be920097850183d1042e8283ab3e48c74f0efb28acd2e82439bd5
                                                                          • Instruction ID: 469c65c1ba17c0994711e3c176d7b7103a7d62e01ced50babf0cbb6ab492a7dc
                                                                          • Opcode Fuzzy Hash: 1beaeeef9c7be920097850183d1042e8283ab3e48c74f0efb28acd2e82439bd5
                                                                          • Instruction Fuzzy Hash: BA51DEB0945F458FD3A9CF3A85417C6FAE0BF89310F108A2E91AED6660EB756184CF51
                                                                          Function 6BD46F20 Relevance: 3.3, APIs: 2, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 306e1ebb42346c8a9afe0bb30c037b517aa085d7c41ceaa63e7f4b4f1d012816
                                                                          • Instruction ID: d75863bf6cc3f2df46102e2edeb1c4deb0404adc98773faec32928ceabbec26c
                                                                          • Opcode Fuzzy Hash: 306e1ebb42346c8a9afe0bb30c037b517aa085d7c41ceaa63e7f4b4f1d012816
                                                                          • Instruction Fuzzy Hash: 16E159B8604B00DFD364CF29C580B96BBE1BF49714F11896EE9AACB761E734B844CB51
                                                                          Function 040901CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0409022B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542491120.0000000004090000.00000040.00001000.00020000.00000000.sdmp, Offset: 04090000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4090000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                          • Instruction ID: c1f8126511db5a7ec2863a9d4c02160150d88ea0ad963fb894e50156463c11f2
                                                                          • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                          • Instruction Fuzzy Hash: 96A15870A00606EFDF58CFA9C880AAEB7F5FF48704B148169E415EB251E730EE50DB90
                                                                          Function 6BEC158A Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BEC1934: GetConsoleOutputCP.KERNEL32(92806F5A,00000000,00000000,?), ref: 6BEC1997
                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6BEB4695,?), ref: 6BEC170F
                                                                          • GetLastError.KERNEL32(?,6BEB4695,?,6BEB48D9,00000000,?,00000000,6BEB48D9,?,00000000,00000000,6BF2F810,0000002C,6BEB47C5,?), ref: 6BEC1719
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorFileLastOutputWrite
                                                                          • String ID:
                                                                          • API String ID: 2915228174-0
                                                                          • Opcode ID: f2553723870670795e186c9aa51fa27d3be8f4e14b0df0e75892398c7ad7b076
                                                                          • Instruction ID: 99c57a7f1c042494c40d82512c2e491fd58f9e2e7bbb723942a065b227bc349d
                                                                          • Opcode Fuzzy Hash: f2553723870670795e186c9aa51fa27d3be8f4e14b0df0e75892398c7ad7b076
                                                                          • Instruction Fuzzy Hash: FC619671D04129AEDF01CFE8CA44AEF7BBAAF06308F240189E924A7351D779D9158B93
                                                                          Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Time_memmovetime
                                                                          • String ID:
                                                                          • API String ID: 1463837790-0
                                                                          • Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                          • Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
                                                                          • Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                          • Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90
                                                                          Function 04213360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Time_memmovetime
                                                                          • String ID:
                                                                          • API String ID: 1463837790-0
                                                                          • Opcode ID: a3d833863ed1eb0bfc85eeb36084a94974dd03f4326ce01355d9c179990961bd
                                                                          • Instruction ID: 918f3744220775e4dd314aa59abff3464cf8905703547e3e5244dc121c3f8b88
                                                                          • Opcode Fuzzy Hash: a3d833863ed1eb0bfc85eeb36084a94974dd03f4326ce01355d9c179990961bd
                                                                          • Instruction Fuzzy Hash: EF5190727202069FE711DFA9C8C0A6AF7EABF68214714866CED19CB715D731F851CB90
                                                                          Function 6BD398C0 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6BD398FD
                                                                            • Part of subcall function 6BD39C00: std::_Lockit::_Lockit.LIBCPMT ref: 6BD39C27
                                                                            • Part of subcall function 6BD39C00: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD39C75
                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD399F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                          • String ID:
                                                                          • API String ID: 593203224-0
                                                                          • Opcode ID: b73fea1c2bd701ef61bb947faf35b304a331280ff0857b61ab2551ae14aa0a4a
                                                                          • Instruction ID: 1abfecc2fb67967ba86b5d39eb1e02a0caf9244054b39b851bed3042e7ab73c1
                                                                          • Opcode Fuzzy Hash: b73fea1c2bd701ef61bb947faf35b304a331280ff0857b61ab2551ae14aa0a4a
                                                                          • Instruction Fuzzy Hash: 6441E875D01218DFCB04DFA8D591ADDBBF0BF0A720F104129E856AB352DB39AA44CFA1
                                                                          Function 6BEA1915 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __RTC_Initialize.LIBCMT ref: 6BEA1962
                                                                            • Part of subcall function 6BEA1D0E: InitializeSListHead.KERNEL32(6BF3A058,6BEA196C,6BF2F578,00000010,6BEA1B05,?,00000000,?,00000007,6BF2F598,00000010,6BEA1B18,?,?,6BEA1BA1,?), ref: 6BEA1D13
                                                                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6BEA19CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                          • String ID:
                                                                          • API String ID: 3231365870-0
                                                                          • Opcode ID: f81551c256819d3b81300267cecab92376b3a0c047b64f16d8f3ab80d787fbc4
                                                                          • Instruction ID: 61f281460b62b45ae693ded5f88d998be881175fd053e49f99870b0e936a99f6
                                                                          • Opcode Fuzzy Hash: f81551c256819d3b81300267cecab92376b3a0c047b64f16d8f3ab80d787fbc4
                                                                          • Instruction Fuzzy Hash: EF212672648364ABDB106BF898037CC33A9AF072AEF20085DD4426F2D1EB6E8105C277
                                                                          Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
                                                                          • recv.WS2_32(?,?,00040000,00000000), ref: 10003044
                                                                            • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexitrecvselect
                                                                          • String ID:
                                                                          • API String ID: 4248608111-0
                                                                          • Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                          • Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
                                                                          • Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                          • Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1
                                                                          Function 6BEC1D63 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6BEC16F5,00000000,6BEB48D9,?,00000000,?,00000000), ref: 6BEC1DFF
                                                                          • GetLastError.KERNEL32(?,6BEC16F5,00000000,6BEB48D9,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6BEB4695), ref: 6BEC1E25
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID:
                                                                          • API String ID: 442123175-0
                                                                          • Opcode ID: 9bcd0ff638e2e6400d2a8c78d73b6cff31953a8b0e0c9649a13dc4db5d108059
                                                                          • Instruction ID: 8484939cb176bd6c9e9319d0a0c71b543b2332f612f8792fec790922c1af6eed
                                                                          • Opcode Fuzzy Hash: 9bcd0ff638e2e6400d2a8c78d73b6cff31953a8b0e0c9649a13dc4db5d108059
                                                                          • Instruction Fuzzy Hash: B521B130A002289FCB15CF69C980ADAB7B6FF49305F2044A9EA16D7211D734DE86CB62
                                                                          Function 6BEA1A1C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __RTC_Initialize.LIBCMT ref: 6BEA1A63
                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 6BEA1A7D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize___scrt_uninitialize_crt
                                                                          • String ID:
                                                                          • API String ID: 2442719207-0
                                                                          • Opcode ID: e1f5878240b47572d23854be4d4903c5a7f6e68e30a17aa61a339636a0382ceb
                                                                          • Instruction ID: 88963a7b97d8e27684c0ae9325b6445e0fd2ce05e922f5663e5f75c976c3aa5f
                                                                          • Opcode Fuzzy Hash: e1f5878240b47572d23854be4d4903c5a7f6e68e30a17aa61a339636a0382ceb
                                                                          • Instruction Fuzzy Hash: 6A215B72A48665EBDB009FFCC40279D37ADEF0776AF20411ED0119E180EB7D8601C7A2
                                                                          Function 04213260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • send.WS2_32(?,?,00040000,00000000), ref: 04213291
                                                                          • send.WS2_32(?,?,?,00000000), ref: 042132CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: send
                                                                          • String ID:
                                                                          • API String ID: 2809346765-0
                                                                          • Opcode ID: 3a8bb6ac38ab36263aaece3a1f5d79e883c0d8b2c5c5ebf76d7e96388e68354b
                                                                          • Instruction ID: 7b66293ed92c72e642300319bf8a89fe3c5fe040f300ec4efb805d3d574e65a5
                                                                          • Opcode Fuzzy Hash: 3a8bb6ac38ab36263aaece3a1f5d79e883c0d8b2c5c5ebf76d7e96388e68354b
                                                                          • Instruction Fuzzy Hash: EE11E572B11304B7F720DA6EDC88B5AB7EAFBA1364F204075ED0CD72A0DA74BD418650
                                                                          Function 6BEBF8EF Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000002,?,00000000,?,?,?,6BEBF7A7,00000000,?,?,00000002,00000000), ref: 6BEBF92B
                                                                          • GetLastError.KERNEL32(00000000,?,6BEBF7A7,00000000,?,?,00000002,00000000,?,6BEC162F,?,00000000,00000000,00000002,?,?), ref: 6BEBF938
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastPointer
                                                                          • String ID:
                                                                          • API String ID: 2976181284-0
                                                                          • Opcode ID: c5c681780add02ff80420947b77b8e96a7a99010097f68efe130b9f0173e5b96
                                                                          • Instruction ID: 60411eac768d3186a261fac3b9c8f31d2a198c07cda44da9a09600bbb77017cf
                                                                          • Opcode Fuzzy Hash: c5c681780add02ff80420947b77b8e96a7a99010097f68efe130b9f0173e5b96
                                                                          • Instruction Fuzzy Hash: EE012236610615BFCF058FA9CD15D9E3B6AEF86334B340259F8109B2A0E779EA51CBD0
                                                                          Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: SleepTimetime
                                                                          • String ID:
                                                                          • API String ID: 346578373-0
                                                                          • Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                          • Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
                                                                          • Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                          • Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1
                                                                          Function 042130E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: SleepTimetime
                                                                          • String ID:
                                                                          • API String ID: 346578373-0
                                                                          • Opcode ID: 3c7a74d7b42940f5b7155bcc716841ad71640d308b022a2c34cdf2f89d98df56
                                                                          • Instruction ID: 5cc8e4afee1e81f80cc8aa08fc90db66e48f772707617956fbfa94bbcb631bc8
                                                                          • Opcode Fuzzy Hash: 3c7a74d7b42940f5b7155bcc716841ad71640d308b022a2c34cdf2f89d98df56
                                                                          • Instruction Fuzzy Hash: 69018F31710206AFE311CF69D8C8BA9B7F6FBA9311F144264D9049B2A0C775B9D6C7E1
                                                                          Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
                                                                          • _free.LIBCMT ref: 10006466
                                                                            • Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
                                                                            • Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                          • String ID:
                                                                          • API String ID: 1116298128-0
                                                                          • Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                          • Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
                                                                          • Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                          • Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55
                                                                          Function 0421CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapCreate.KERNEL32(00000004,00000000,00000000,0421E04E,00000000,04219800,?,?,?,00000000,0423125B,000000FF,?,0421E04E), ref: 0421CD1B
                                                                          • _free.LIBCMT ref: 0421CD56
                                                                            • Part of subcall function 04211280: __CxxThrowException@8.LIBCMT ref: 04211290
                                                                            • Part of subcall function 04211280: DeleteCriticalSection.KERNEL32(00000000,0421D3E6,04236624,?,?,0421D3E6,?,?,?,?,04235A40,00000000), ref: 042112A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                          • String ID:
                                                                          • API String ID: 1116298128-0
                                                                          • Opcode ID: aefd3995d70e1cedf758e9a627775ebed02772f77670c686bcd4b82274fd2961
                                                                          • Instruction ID: ae5846c3946110ab424a07ea4c1c637ecd789e22122569486957919c544047e8
                                                                          • Opcode Fuzzy Hash: aefd3995d70e1cedf758e9a627775ebed02772f77670c686bcd4b82274fd2961
                                                                          • Instruction Fuzzy Hash: 15017EF0A00B409FD3309F6A9844A07FAF8FFA8700B104A1ED2DAC6A20D374A505CF55
                                                                          Function 6BD7BFAE Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Yarn
                                                                          • String ID:
                                                                          • API String ID: 1767336200-0
                                                                          • Opcode ID: 86d8591e7f6ec4f7bd5898b00331ad25b1171ff6084ee1a7523429539f9c5961
                                                                          • Instruction ID: 33a87b53aebd60f752a49e4327ca0b012ef264de47ad3ae0a92e42f82f8208be
                                                                          • Opcode Fuzzy Hash: 86d8591e7f6ec4f7bd5898b00331ad25b1171ff6084ee1a7523429539f9c5961
                                                                          • Instruction Fuzzy Hash: 24E030323083006BEA18A775AC22BBA73D89B009A4F10003DE91E9A5D0EE65ED008561
                                                                          Function 6BEB8F57 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,6BEAFC08,00000001,00000001), ref: 6BEB8F6D
                                                                          • GetLastError.KERNEL32(00000001,?,6BEAFC08,00000001,00000001), ref: 6BEB8F78
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 485612231-0
                                                                          • Opcode ID: efb68eb83cef4a02a1a5dab2386fd4e210b5835a2db09665e1977fe6e8c01572
                                                                          • Instruction ID: 66d0fdbb27379d26feb8d1a1f842465da76c0810f031bdbdc6626f4fdb367010
                                                                          • Opcode Fuzzy Hash: efb68eb83cef4a02a1a5dab2386fd4e210b5835a2db09665e1977fe6e8c01572
                                                                          • Instruction Fuzzy Hash: 9AE08632114208ABCF121BB199097693B9DEF41355F650068F6089A660D778C450C7D0
                                                                          Function 0421E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNEL32(00000000,00000000,0421DF10,00000000,00000000,00000000), ref: 0421E49B
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,04221168,?,?,?,?,?,?,04236298,0000000C,04221210,?), ref: 0421E4A9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateObjectSingleThreadWait
                                                                          • String ID:
                                                                          • API String ID: 1891408510-0
                                                                          • Opcode ID: 45d3de8303bc1677b78b518a5dee9e761b972c228be41c65c3bcea584b5fa764
                                                                          • Instruction ID: 1c3a97556cb19a70f1c76b5c7fa733caaeb23e56534b7989fc706aa6a092554b
                                                                          • Opcode Fuzzy Hash: 45d3de8303bc1677b78b518a5dee9e761b972c228be41c65c3bcea584b5fa764
                                                                          • Instruction Fuzzy Hash: 6AE012B4764216FFDB10DA5CBC8CE3633ECD7543317104615B911C2290D979BDD08A70
                                                                          Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 10007181
                                                                            • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                            • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
                                                                            • Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
                                                                            • Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E
                                                                          • __XcptFilter.LIBCMT ref: 100071A2
                                                                            • Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                          • String ID:
                                                                          • API String ID: 418257734-0
                                                                          • Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                          • Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
                                                                          • Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                          • Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24
                                                                          Function 0421F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 0421F98F
                                                                            • Part of subcall function 04223E5B: __getptd_noexit.LIBCMT ref: 04223E5E
                                                                            • Part of subcall function 04223E5B: __amsg_exit.LIBCMT ref: 04223E6B
                                                                            • Part of subcall function 0421F964: __getptd_noexit.LIBCMT ref: 0421F969
                                                                            • Part of subcall function 0421F964: __freeptd.LIBCMT ref: 0421F973
                                                                            • Part of subcall function 0421F964: ExitThread.KERNEL32 ref: 0421F97C
                                                                          • __XcptFilter.LIBCMT ref: 0421F9B0
                                                                            • Part of subcall function 0422418F: __getptd_noexit.LIBCMT ref: 04224195
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                          • String ID:
                                                                          • API String ID: 418257734-0
                                                                          • Opcode ID: 68f2989f7f5b1c9a9593d7f9a1b43d1294ff519b64492f608cba3522e959e2d7
                                                                          • Instruction ID: bbe42d2db825cc219d2aac0e726d896fb9f1967b039bc67ec13bfb2a53dc4427
                                                                          • Opcode Fuzzy Hash: 68f2989f7f5b1c9a9593d7f9a1b43d1294ff519b64492f608cba3522e959e2d7
                                                                          • Instruction Fuzzy Hash: D0E0E6B1A10610FFF718FBA0D905E7D77759F44615F210148E5016B260CB75B940DE10
                                                                          Function 04226403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock.LIBCMT ref: 0422641B
                                                                            • Part of subcall function 04228E5B: __mtinitlocknum.LIBCMT ref: 04228E71
                                                                            • Part of subcall function 04228E5B: __amsg_exit.LIBCMT ref: 04228E7D
                                                                            • Part of subcall function 04228E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,04223F06,0000000D,04236340,00000008,04223FFF,00000000,?,042210F0,00000000,04236278,00000008,04221155,?), ref: 04228E85
                                                                          • __tzset_nolock.LIBCMT ref: 0422642C
                                                                            • Part of subcall function 04225D22: __lock.LIBCMT ref: 04225D44
                                                                            • Part of subcall function 04225D22: ____lc_codepage_func.LIBCMT ref: 04225D8B
                                                                            • Part of subcall function 04225D22: __getenv_helper_nolock.LIBCMT ref: 04225DAD
                                                                            • Part of subcall function 04225D22: _free.LIBCMT ref: 04225DE4
                                                                            • Part of subcall function 04225D22: _strlen.LIBCMT ref: 04225DEB
                                                                            • Part of subcall function 04225D22: __malloc_crt.LIBCMT ref: 04225DF2
                                                                            • Part of subcall function 04225D22: _strlen.LIBCMT ref: 04225E08
                                                                            • Part of subcall function 04225D22: _strcpy_s.LIBCMT ref: 04225E16
                                                                            • Part of subcall function 04225D22: __invoke_watson.LIBCMT ref: 04225E2B
                                                                            • Part of subcall function 04225D22: _free.LIBCMT ref: 04225E3A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1828324828-0
                                                                          • Opcode ID: ff28ecde1a85689e2d8ab5b208f7c677e10ee804b24e7b0a7b84561ef5e96426
                                                                          • Instruction ID: 96d97b7f539e725d287eb9f4078797646cbfd2965ad9ada2ab04c616ddf3e00e
                                                                          • Opcode Fuzzy Hash: ff28ecde1a85689e2d8ab5b208f7c677e10ee804b24e7b0a7b84561ef5e96426
                                                                          • Instruction Fuzzy Hash: E7E0C276B61B30F7E7B27FE4B306A0DB270EBC0F25F604609E58121480CA743581CA52
                                                                          Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(|p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:), ref: 10004755
                                                                            • Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655
                                                                          Strings
                                                                          • |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:, xrefs: 10004750
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsrevlstrlen
                                                                          • String ID: |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:
                                                                          • API String ID: 4062721203-291094236
                                                                          • Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                          • Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
                                                                          • Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                          • Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1
                                                                          Function 04216EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(80000001,04216E9A), ref: 04216EC9
                                                                          • RegCloseKey.ADVAPI32(75BF73E0), ref: 04216ED2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: dd8e11a02b7ef44e301f24159fc191158e4dbbc31a178f350376fdaee5249190
                                                                          • Instruction ID: edde873c1a2712a63c3381202807919ff78b88f866d532dd64a17f87b0669812
                                                                          • Opcode Fuzzy Hash: dd8e11a02b7ef44e301f24159fc191158e4dbbc31a178f350376fdaee5249190
                                                                          • Instruction Fuzzy Hash: E7C09B72D1113897CF10E7A8FD4894D77B89F4C110F1140C2A104A3114C734BD41CF90
                                                                          Function 6BEC1260 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6BEC124F,6BEC8AB1,?,00000000,00000000), ref: 6BEC12B6
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6BEC8AB1), ref: 6BEC12C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorHandleLast
                                                                          • String ID:
                                                                          • API String ID: 918212764-0
                                                                          • Opcode ID: 0407318ef96638523aced662f9207abe978d5f23feb72f0a53ca12944c138221
                                                                          • Instruction ID: dba2c416b032a6e9892a29e804129b93dbdb85cd5aa5153288e28ac4b37ebda0
                                                                          • Opcode Fuzzy Hash: 0407318ef96638523aced662f9207abe978d5f23feb72f0a53ca12944c138221
                                                                          • Instruction Fuzzy Hash: 2A112936A042341ADA191AB5D71676F37999F8373CF35029DE834CA2D2DB3CD45152D3
                                                                          Function 6BEB559D Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 21ecb60f98e7c0c61d1d9bfc2e3870348c4687bddf2640827f9a64e8db7dd82e
                                                                          • Instruction ID: 186a0b5f00019c8ffc7186b675d605133bb51ae8528f91f6f6ddd685ce962f22
                                                                          • Opcode Fuzzy Hash: 21ecb60f98e7c0c61d1d9bfc2e3870348c4687bddf2640827f9a64e8db7dd82e
                                                                          • Instruction Fuzzy Hash: F1519174A10218AFDB14CF68CA91E997BF1EF4A328F34819CE9089B351D375DE52CB90
                                                                          Function 6BD3A060 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6BD3A0A4
                                                                            • Part of subcall function 6BD7BFAE: _Yarn.LIBCPMT ref: 6BD7BFCE
                                                                            • Part of subcall function 6BD7BFAE: _Yarn.LIBCPMT ref: 6BD7BFF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Yarn$LockitLockit::_std::_
                                                                          • String ID:
                                                                          • API String ID: 360232963-0
                                                                          • Opcode ID: 02784455ca8366fb98da819da712cfd0f92a1b393303a3444bd48b2a3d8757c3
                                                                          • Instruction ID: 39f9af181273793e5802ad831a4b775db1e16cc658139566cbfeaf04d182bff6
                                                                          • Opcode Fuzzy Hash: 02784455ca8366fb98da819da712cfd0f92a1b393303a3444bd48b2a3d8757c3
                                                                          • Instruction Fuzzy Hash: C93109B1E006188BCF18DFA8D8527EEBBB1FF4A328F04412DD5066B341D7799A50CBA5
                                                                          Function 6BEBF972 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __wsopen_s
                                                                          • String ID:
                                                                          • API String ID: 3347428461-0
                                                                          • Opcode ID: 557bf77e03d9081afdaa12a0bcdfb07ea156a85595b52f94951d2d710052ffa8
                                                                          • Instruction ID: 722dd3c2e5aad80c5756a76f021f4211b54fab3efd8a091350ae1d2240f34327
                                                                          • Opcode Fuzzy Hash: 557bf77e03d9081afdaa12a0bcdfb07ea156a85595b52f94951d2d710052ffa8
                                                                          • Instruction Fuzzy Hash: EF113A76A0420AAFCB05DF98EA4199F7BF9EF48304F104099F814EB351D775EA11CBA5
                                                                          Function 0422A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0422454A,00000000,00000001,00000000,00000000,00000000,?,04223E0D,00000001,00000214,?,04224500), ref: 0422A735
                                                                            • Part of subcall function 0421F91B: __getptd_noexit.LIBCMT ref: 0421F91B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542553864.0000000004210000.00000040.00001000.00020000.00000000.sdmp, Offset: 04210000, based on PE: true
                                                                          • Associated: 00000003.00000002.3542553864.0000000004244000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_4210000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 328603210-0
                                                                          • Opcode ID: 03ffa61149d242d7e75be98439a7753a9897e5c978d7991b7d8bf818d4dfe133
                                                                          • Instruction ID: c8ad3a62604abe5111e1a80a1785742c1422676464d0c0aa74a2dd467b03c64b
                                                                          • Opcode Fuzzy Hash: 03ffa61149d242d7e75be98439a7753a9897e5c978d7991b7d8bf818d4dfe133
                                                                          • Instruction Fuzzy Hash: E5012835320332BEEB249F29DE54B6F33B4EB817A4F1545A9E815CB9A4D774E800C748
                                                                          Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598
                                                                            • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 328603210-0
                                                                          • Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                          • Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
                                                                          • Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                          • Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80
                                                                          Function 6BEC0382 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BEB8F91: RtlAllocateHeap.NTDLL(00000000,6BEBCF02,?,?,6BEBCF02,00000220,?,00000016,?), ref: 6BEB8FC3
                                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,00000000,?,6BEB261B,00000000,?,?,?,?,?,6BEBECB1,?,?), ref: 6BEC03DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: a17114086f7a3c307a17f80470d9e004be20b3e447afbf047223035b0c8e0c42
                                                                          • Instruction ID: e814ce611a65b0dca0e4bc0e6df5e1c9cffa89758b800f57bdd25f3d6d4d6223
                                                                          • Opcode Fuzzy Hash: a17114086f7a3c307a17f80470d9e004be20b3e447afbf047223035b0c8e0c42
                                                                          • Instruction Fuzzy Hash: 33F04C721083056BDB11173E8E00B4B375D9F82B7AF300069EC34AA381EF3CC41181AB
                                                                          Function 6BD52020 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FolderPath
                                                                          • String ID:
                                                                          • API String ID: 1514166925-0
                                                                          • Opcode ID: 1fe81721c8cb84d18b18542f8a9d1c4fa3dfb5da1852d2cbe8ae60ee4b22ddf6
                                                                          • Instruction ID: 03ef9e6ab224c0dcd49f41b10a7b1025430e7eddd0539edb0d37dab7e05f7164
                                                                          • Opcode Fuzzy Hash: 1fe81721c8cb84d18b18542f8a9d1c4fa3dfb5da1852d2cbe8ae60ee4b22ddf6
                                                                          • Instruction Fuzzy Hash: 4101A2B4D042099FDB00EFA8C5856AEBBF0EB48310F108969E859AB344D7749A44CB92
                                                                          Function 6BEB8F91 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00000000,6BEBCF02,?,?,6BEBCF02,00000220,?,00000016,?), ref: 6BEB8FC3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: bf18003c1ee918a6664f23180e66f45deedb5cd8a7d80f2c0a85dc7e5c6ac1d8
                                                                          • Instruction ID: 3b62fba7103af43df3263c87a7a19038e23e18fdb9cb7264eeedb38a2b5dab3e
                                                                          • Opcode Fuzzy Hash: bf18003c1ee918a6664f23180e66f45deedb5cd8a7d80f2c0a85dc7e5c6ac1d8
                                                                          • Instruction Fuzzy Hash: 7BE0653215522B66EB1117768E05B4BB69FEF426B4F3101A4DD24AA390EB7CC41196E1
                                                                          Function 6BD520A0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 82515cf5ced64921eb040495ec98237354e652f7ea7ba49fb4d818b380d2a36d
                                                                          • Instruction ID: b28823f2b0e6c042321db980256471532f5684449373036236abc0a05c335af5
                                                                          • Opcode Fuzzy Hash: 82515cf5ced64921eb040495ec98237354e652f7ea7ba49fb4d818b380d2a36d
                                                                          • Instruction Fuzzy Hash: 6AF0543590D288EFCF019FEC80453ECBFB05B12264F0444D5D8C45B302D23A93A9D7A6
                                                                          Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                          • Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
                                                                          • Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                          • Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91
                                                                          Function 6BD51FE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32 ref: 6BD5200B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 6fad433cf62f331a5793a127c20f5d7aeea5b428c4bd8118569540d6c6c2a07d
                                                                          • Instruction ID: d2e964fcfc7c3913f03aad4ed7f6a7f1659de24f775985988583caccde74c6c1
                                                                          • Opcode Fuzzy Hash: 6fad433cf62f331a5793a127c20f5d7aeea5b428c4bd8118569540d6c6c2a07d
                                                                          • Instruction Fuzzy Hash: A9E0B674D00208EFCB80EFA8D14568DBBF4AF48314F5084A9E889D7301E7349A54CF51
                                                                          Function 6BEC8CC3 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(6BD4A690,00000000,?,6BEC8967,?,?,00000000,?,6BEC8967,6BD4A690,0000000C), ref: 6BEC8CE0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: f4fbd5a0ef81dd55a2e8bb394149a0a9f8e70e4bc8010d79e11de6eff69f31b8
                                                                          • Instruction ID: 1bff3358115f240fc8165dfc7d83c39c5637da71f7023f1c298d9fbed527c587
                                                                          • Opcode Fuzzy Hash: f4fbd5a0ef81dd55a2e8bb394149a0a9f8e70e4bc8010d79e11de6eff69f31b8
                                                                          • Instruction Fuzzy Hash: 9BD06C3201020DBBDF028E84DC06EDA3BAAFB48714F028010FA1896020C772E831AB91
                                                                          Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID:
                                                                          • API String ID: 3660427363-0
                                                                          • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                          • Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
                                                                          • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                          • Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA
                                                                          Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 1001FAB1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                          • Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
                                                                          • Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                          • Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652
                                                                          Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                          • Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
                                                                          • Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                          • Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553
                                                                          Function 00021000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • TCGamerUpdateMain.UPDATE(?,?), ref: 0002100B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: GamerMainUpdate
                                                                          • String ID:
                                                                          • API String ID: 3533789159-0
                                                                          • Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
                                                                          • Instruction ID: b6ef548c66d66bbbbda11579d30d492b49407b9ff5cbf57de7122c4c6695da29
                                                                          • Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
                                                                          • Instruction Fuzzy Hash: 81B092B656020C7B8B44EAD8EC82CDA339C5B58750B408014BE0C8B242E976FA9087A1
                                                                          Function 6BD62D5A Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD62D69
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 1531683806-0
                                                                          • Opcode ID: 3f94286fc35cf5ec106b95c6409c5c76eeb33127c9d29b2935e37690054f2a37
                                                                          • Instruction ID: c88ceb1eb81037b9c8dbf91a99d04e44034f5922711a66ee2a3ae2dd436cdadf
                                                                          • Opcode Fuzzy Hash: 3f94286fc35cf5ec106b95c6409c5c76eeb33127c9d29b2935e37690054f2a37
                                                                          • Instruction Fuzzy Hash: E0B09270861100EBCE4057708A0A74A3A649B82BAEF008CA4E008C9000EB3DC9499990
                                                                          Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: send
                                                                          • String ID:
                                                                          • API String ID: 2809346765-0
                                                                          • Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                          • Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
                                                                          • Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                          • Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514
                                                                          Function 6BD59950 Relevance: 1.3, APIs: 1, Instructions: 67sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD59550: CreateToolhelp32Snapshot.KERNEL32 ref: 6BD595A2
                                                                          • Sleep.KERNEL32 ref: 6BD59A2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateSleepSnapshotToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 684154974-0
                                                                          • Opcode ID: bceab770833842c544ad936410a9a2f4d0e39a6e2ff23c0ab56515601025abd9
                                                                          • Instruction ID: a294208fa0e6f6b94fc81aefaa575549115a4e0c5ef2f981391b8d61ef98b0d1
                                                                          • Opcode Fuzzy Hash: bceab770833842c544ad936410a9a2f4d0e39a6e2ff23c0ab56515601025abd9
                                                                          • Instruction Fuzzy Hash: 972119B1904399CFCF04DFA8C8416DEBBB4BB09724F000629D465AB385D77D9659CFA2
                                                                          Function 6BD35477 Relevance: 1.3, APIs: 1, Instructions: 65sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: a433101acbe227e859bbc76557f11232b22c3072d5eb06c69415a77b8bcbdf96
                                                                          • Instruction ID: 31a1984db0fb6c60f55457d858f0ce2b145678e7899a66ac1e277fa4a39d3c7e
                                                                          • Opcode Fuzzy Hash: a433101acbe227e859bbc76557f11232b22c3072d5eb06c69415a77b8bcbdf96
                                                                          • Instruction Fuzzy Hash: 95216AB5A04269CFCB099FA8E45258CBF71BB07768F014429C5455F311DB3D9905CBA1
                                                                          Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32 ref: 10005EB2
                                                                            • Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543076303.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543056647.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543099965.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543119921.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543139437.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543159334.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep_malloc
                                                                          • String ID:
                                                                          • API String ID: 617756273-0
                                                                          • Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                          • Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
                                                                          • Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                          • Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382
                                                                          Function 6BD59520 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: c10573dbb6d349569d6c128eba162b824f7bc57166fd1fef992ff6063c77f4d9
                                                                          • Instruction ID: 76887c66114dae0ac5f712cc381c943947d47bfe6975987876b7f85af8bba0f9
                                                                          • Opcode Fuzzy Hash: c10573dbb6d349569d6c128eba162b824f7bc57166fd1fef992ff6063c77f4d9
                                                                          • Instruction Fuzzy Hash: 2DD09E75D002089FC740EFBCE54658DBFF4AB44310F404575E988D7300E6749698CB96

                                                                          Non-executed Functions

                                                                          Function 6BD91DAB Relevance: 27.7, APIs: 18, Instructions: 729windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD91DB2
                                                                          • GetClientRect.USER32(?,?), ref: 6BD91E66
                                                                            • Part of subcall function 6BD63959: __EH_prolog3.LIBCMT ref: 6BD63960
                                                                            • Part of subcall function 6BD63959: GetDC.USER32(00000000), ref: 6BD6398C
                                                                          • GetFocus.USER32 ref: 6BD920D2
                                                                          • NotifyWinEvent.USER32(00008005,?,000000FC,00000000), ref: 6BD92106
                                                                          • InvalidateRect.USER32(?,?,00000001,?), ref: 6BD922D8
                                                                          • InflateRect.USER32(?,00000000,?), ref: 6BD9231E
                                                                          • RedrawWindow.USER32(?,?,00000000,00000401), ref: 6BD92331
                                                                          • InvalidateRect.USER32(?,?,00000001,?), ref: 6BD923C4
                                                                          • InflateRect.USER32(?,00000000,?), ref: 6BD9240A
                                                                          • RedrawWindow.USER32(?,?,00000000,00000401), ref: 6BD9241E
                                                                          • NotifyWinEvent.USER32(00008005,?,000000FC,00000001), ref: 6BD92504
                                                                          • InvalidateRect.USER32(?,?,00000001,?), ref: 6BD92575
                                                                          • InflateRect.USER32(?,00000000,?), ref: 6BD925BB
                                                                          • RedrawWindow.USER32(?,?,00000000,00000401), ref: 6BD925CE
                                                                          • InvalidateRect.USER32(?,?,00000001,?), ref: 6BD92640
                                                                          • InflateRect.USER32(?,00000000,?), ref: 6BD92686
                                                                          • RedrawWindow.USER32(?,?,00000000,00000401), ref: 6BD92699
                                                                          • UpdateWindow.USER32(?), ref: 6BD926A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Window$InflateInvalidateRedraw$EventNotify$ClientFocusH_prolog3H_prolog3_Update
                                                                          • String ID:
                                                                          • API String ID: 387073690-0
                                                                          • Opcode ID: 90573ede7e344ea95a8ad910fbfdf969be2ae1dab8981efb1b1c4f9794bf198a
                                                                          • Instruction ID: dc731f97ed6640c4c8d136bc2f56b446cc4abef2dfffb039d74699e7f319ca15
                                                                          • Opcode Fuzzy Hash: 90573ede7e344ea95a8ad910fbfdf969be2ae1dab8981efb1b1c4f9794bf198a
                                                                          • Instruction Fuzzy Hash: BB528071E1061ADFDF18EFA4D854BADB7B5BF09328F100169E815AB250DB38E945CFA0
                                                                          Function 6BD8B87D Relevance: 24.3, APIs: 16, Instructions: 285windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 6BD8B99D
                                                                          • GetDlgItem.USER32(?,00003020), ref: 6BD8B9ED
                                                                          • GetDlgItem.USER32(?,00003020), ref: 6BD8BA18
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD8BA2C
                                                                          • MapDialogRect.USER32(?,?), ref: 6BD8BA4F
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016), ref: 6BD8BA79
                                                                          • GetDlgItem.USER32(?,00000001), ref: 6BD8BA8A
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD8BA9C
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 6BD8BAC0
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD8BAD5
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD8BB33
                                                                          • GetDlgItem.USER32(?,00000001), ref: 6BD8BB45
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD8BB54
                                                                          • GetDlgItem.USER32(?,00000001), ref: 6BD8BB7D
                                                                          • ShowWindow.USER32(00000000,00000000), ref: 6BD8BB8C
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 6BD8BB95
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rect$Item$DialogEnableMessageSendShow
                                                                          • String ID:
                                                                          • API String ID: 966972710-0
                                                                          • Opcode ID: e2c0ff086a0e4f0d91c8472d061fc53f2c43c8c62193caaf574c0ccc4946713e
                                                                          • Instruction ID: 48a0bfecfb105eca143f540324a927887eb97a9e8df38b472eef26b192221d88
                                                                          • Opcode Fuzzy Hash: e2c0ff086a0e4f0d91c8472d061fc53f2c43c8c62193caaf574c0ccc4946713e
                                                                          • Instruction Fuzzy Hash: BEA1E271A00609EFDB10DFB8CD89BAFB7B9FF49315F104528E455EA1A0DB75AA40CB60
                                                                          Function 6BD98264 Relevance: 21.3, APIs: 14, Instructions: 309windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetRectEmpty.USER32(?), ref: 6BD982F9
                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6BD98317
                                                                          • ReleaseCapture.USER32 ref: 6BD9831D
                                                                          • SetCapture.USER32(?), ref: 6BD98330
                                                                          • ReleaseCapture.USER32 ref: 6BD983BD
                                                                          • SetCapture.USER32(?), ref: 6BD983D0
                                                                          • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6BD984C4
                                                                          • UpdateWindow.USER32(?), ref: 6BD98550
                                                                          • SendMessageW.USER32(?,00000111,00000000,00000000), ref: 6BD9859F
                                                                          • IsWindow.USER32(?), ref: 6BD985AB
                                                                          • IsIconic.USER32(?), ref: 6BD985B6
                                                                          • IsZoomed.USER32(?), ref: 6BD985C1
                                                                          • IsWindow.USER32(?), ref: 6BD985DF
                                                                          • UpdateWindow.USER32(?), ref: 6BD9863B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
                                                                          • String ID:
                                                                          • API String ID: 2500574155-0
                                                                          • Opcode ID: 0599f53b25e6dc24f7e2ac625e88b6fc3cd8c85db3a526043b8dfa689e1f398f
                                                                          • Instruction ID: c5f672f088bbaced372039acb874f14933abec8768d7ff0b9ac1aa15b22ffa63
                                                                          • Opcode Fuzzy Hash: 0599f53b25e6dc24f7e2ac625e88b6fc3cd8c85db3a526043b8dfa689e1f398f
                                                                          • Instruction Fuzzy Hash: A6C18E31A10614DFCF05AF64C984AAD3BB6BF49760F0405B9EC199F2A1DB39D905DF90
                                                                          Function 6BD83FB7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD6A828: GetParent.USER32(?), ref: 6BD6A832
                                                                          • ScreenToClient.USER32(?,?), ref: 6BD84044
                                                                          • GetKeyState.USER32(00000001), ref: 6BD840B5
                                                                          • GetKeyState.USER32(00000001), ref: 6BD84110
                                                                          • IsWindow.USER32(?), ref: 6BD841D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: State$ClientParentScreenWindow
                                                                          • String ID: 0
                                                                          • API String ID: 1527269598-4108050209
                                                                          • Opcode ID: deb6568ead4b346ce4fc26cf9a43d14158a1a0f263ca48f5f06c877b275789b7
                                                                          • Instruction ID: e67bd317d802b64957f60a2b761e9bbc7c79a09741a106d09294ece39a2103cc
                                                                          • Opcode Fuzzy Hash: deb6568ead4b346ce4fc26cf9a43d14158a1a0f263ca48f5f06c877b275789b7
                                                                          • Instruction Fuzzy Hash: 0E61B034F00318DBDF12DF64C895BADBBB9BF05766F100169E811AB291EB7899019F91
                                                                          Function 6BD85B91 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD69F7C,6BD69005,00000003,?,00000004,6BD69005), ref: 6BD85BA3
                                                                          • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6BD85BB3
                                                                          • EncodePointer.KERNEL32(00000000,?,6BD69F7C,6BD69005,00000003,?,00000004,6BD69005), ref: 6BD85BBC
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD69F7C,6BD69005,00000003,?,00000004,6BD69005), ref: 6BD85BCA
                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6BD69F7C,6BD69005,00000003,?,00000004,6BD69005), ref: 6BD85C01
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
                                                                          • String ID: GetLocaleInfoEx$kernel32.dll
                                                                          • API String ID: 1461536855-1547310189
                                                                          • Opcode ID: 82990f66d7f92c870c8152cf39b58d9d36a68a2960fdd8fbee6944966cccbd3d
                                                                          • Instruction ID: 1f5d7ff851cbdaf2167a3e4480a565f3a6bec23a0fcfb8edfae1b2df6264e795
                                                                          • Opcode Fuzzy Hash: 82990f66d7f92c870c8152cf39b58d9d36a68a2960fdd8fbee6944966cccbd3d
                                                                          • Instruction Fuzzy Hash: E2016D76414219FBCF121FA4CC08E9A3F6AFB097667004820FE16D9130DB79D824ABB0
                                                                          Function 6BDA7D6F Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDA7D79
                                                                          • PathIsUNCW.SHLWAPI(?,?,?,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7E29
                                                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7E4D
                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6BDA7BEB,?,?,00000000,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7DAC
                                                                            • Part of subcall function 6BDA7D2D: GetLastError.KERNEL32(?,?,?,6BDA7E5E,?,?,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7D39
                                                                            • Part of subcall function 6BDA7C62: PathStripToRootW.SHLWAPI(00000000,?,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7C96
                                                                          • CharUpperW.USER32(?,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7E7B
                                                                          • FindFirstFileW.KERNEL32(?,?,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7E93
                                                                          • FindClose.KERNEL32(00000000,?,6BDD9BF2,00000024,?,?,?), ref: 6BDA7E9F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
                                                                          • String ID:
                                                                          • API String ID: 2323451338-0
                                                                          • Opcode ID: 8045f16666634ee62a5ff8de38851c23397f63e087f5dab3964c9e69205b84bc
                                                                          • Instruction ID: 4aed70e35ae7dab322a75a2a4df63de6e5c844e1c3dfa77ebb3f78fc80c5c2b3
                                                                          • Opcode Fuzzy Hash: 8045f16666634ee62a5ff8de38851c23397f63e087f5dab3964c9e69205b84bc
                                                                          • Instruction Fuzzy Hash: 0A419371515106BBEF14AB34CC89EAE737CEF00338F1009E9E4599A154EB39AF458A31
                                                                          Function 6BDB0E79 Relevance: 10.6, APIs: 7, Instructions: 131keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 6BDB0E9A
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 6BDB0EB8
                                                                          • GetKeyboardState.USER32(?), ref: 6BDB0EEA
                                                                          • GetKeyboardLayout.USER32(?), ref: 6BDB0EFD
                                                                          • MapVirtualKeyW.USER32(?,00000000), ref: 6BDB0F08
                                                                          • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000001,00000000), ref: 6BDB0F23
                                                                          • CharUpperW.USER32(?), ref: 6BDB0F39
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
                                                                          • String ID:
                                                                          • API String ID: 298839909-0
                                                                          • Opcode ID: df7e6484cab6bd53b51368618ba246c6e056ff6cd8bc18e9d2d678d0ad521407
                                                                          • Instruction ID: 46b6eeca9f59ec82767730a907a33e7312b92cef673cf81e1327a93e2ffdd155
                                                                          • Opcode Fuzzy Hash: df7e6484cab6bd53b51368618ba246c6e056ff6cd8bc18e9d2d678d0ad521407
                                                                          • Instruction Fuzzy Hash: 3D4121B1711109ABCB109B24C845FAEB769EF497A0F4040AAF956EF190EB78D9458BE0
                                                                          Function 6BD78B4D Relevance: 9.2, APIs: 6, Instructions: 229windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD78B9B
                                                                          • EqualRect.USER32(?,00000000), ref: 6BD78BB9
                                                                            • Part of subcall function 6BD7B9D8: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6BD7906B,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6BD7BA00
                                                                          • IsWindowVisible.USER32(?), ref: 6BD78C74
                                                                          • CopyRect.USER32(?,?), ref: 6BD78CB4
                                                                          • GetParent.USER32(?), ref: 6BD78D96
                                                                          • SetParent.USER32(?,?), ref: 6BD78DAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: RectWindow$Parent$CopyEqualVisible
                                                                          • String ID:
                                                                          • API String ID: 3103310903-0
                                                                          • Opcode ID: 2029b59c109bd514963dddfcc654a5bfa354def888b60552d9b2cc976e79b320
                                                                          • Instruction ID: a71eeb78c1ebde246fd9517ff36788a3995e87ac6f64c0ca4e2c5f6cd246f0ea
                                                                          • Opcode Fuzzy Hash: 2029b59c109bd514963dddfcc654a5bfa354def888b60552d9b2cc976e79b320
                                                                          • Instruction Fuzzy Hash: 1581B571A10619ABDF24AF35CC99BEAB775BF04324F1002B9E919DB190DB399E448B60
                                                                          Function 000215D0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000215DC
                                                                          • memset.VCRUNTIME140(?,00000000,00000003), ref: 00021602
                                                                          • memset.VCRUNTIME140(?,00000000,00000050), ref: 0002168C
                                                                          • IsDebuggerPresent.KERNEL32 ref: 000216A8
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000216C8
                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 000216D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                          • String ID:
                                                                          • API String ID: 1045392073-0
                                                                          • Opcode ID: 24da01e82335f6cb0f53cbb2cd5ee48e3e6859f725f2684b693de5798fa9c413
                                                                          • Instruction ID: 9ba151cbeeb163b64d2e0a72e581da700ff0c4ea53d8f9c087bc990fdc0a7949
                                                                          • Opcode Fuzzy Hash: 24da01e82335f6cb0f53cbb2cd5ee48e3e6859f725f2684b693de5798fa9c413
                                                                          • Instruction Fuzzy Hash: 15311875D0522CDBDB21DFA4D989BCCBBF8AF18304F1041EAE409AB251EB759A85CF44
                                                                          Function 6BEC5D3A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,6BEC570B,00000002,00000000,?,?,?,6BEC570B,?,00000000), ref: 6BEC5DD3
                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,6BEC570B,00000002,00000000,?,?,?,6BEC570B,?,00000000), ref: 6BEC5DFC
                                                                          • GetACP.KERNEL32(?,?,6BEC570B,?,00000000), ref: 6BEC5E11
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID: ACP$OCP
                                                                          • API String ID: 2299586839-711371036
                                                                          • Opcode ID: b2aaa28c6a2a1116406c68cd1fac6214a5c53476a067464ef2537e683d7e55c2
                                                                          • Instruction ID: 53d843d7336911a8aa10b924bb042e8aa1cc283b5e966c1b78c7856b3b84740f
                                                                          • Opcode Fuzzy Hash: b2aaa28c6a2a1116406c68cd1fac6214a5c53476a067464ef2537e683d7e55c2
                                                                          • Instruction Fuzzy Hash: 23210632A04300AAE7248B55CB0BB8777F7EF44F58B7284A4EA25CB205E736DD51C352
                                                                          Function 6BD6422E Relevance: 7.8, APIs: 5, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 6BD64251
                                                                          • InflateRect.USER32(?,?,?), ref: 6BD6426D
                                                                          • BeginDeferWindowPos.USER32(?), ref: 6BD642E1
                                                                          • InvalidateRect.USER32(?,00000000,00000001,00000018,00000008,00000000,0000EA20), ref: 6BD64350
                                                                          • EndDeferWindowPos.USER32(00000000), ref: 6BD6454E
                                                                            • Part of subcall function 6BD7B7F7: GetDlgItem.USER32(?,?), ref: 6BD7B808
                                                                            • Part of subcall function 6BD65F4B: GetClientRect.USER32(?,?), ref: 6BD65F6D
                                                                            • Part of subcall function 6BD65F4B: GetParent.USER32(?), ref: 6BD65F86
                                                                            • Part of subcall function 6BD65F4B: GetClientRect.USER32(?,?), ref: 6BD65FB5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
                                                                          • String ID:
                                                                          • API String ID: 939197390-0
                                                                          • Opcode ID: 61d82870e6b60c003a84968dc017f989f128186acbbe6c2fb4b0c48f57d6d412
                                                                          • Instruction ID: 7d71b65a41f90188802695c15e51c3b79c145e3be45fff35c3b4c9dd740ce320
                                                                          • Opcode Fuzzy Hash: 61d82870e6b60c003a84968dc017f989f128186acbbe6c2fb4b0c48f57d6d412
                                                                          • Instruction Fuzzy Hash: 47B10271E0064AEFDB18CFA8C891BADFBB6FF08314F104129E519AB250E774A955CF90
                                                                          Function 03AE67EC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 03AE7914
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03AE7929
                                                                          • UnhandledExceptionFilter.KERNEL32(10015350), ref: 03AE7934
                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 03AE7950
                                                                          • TerminateProcess.KERNEL32(00000000), ref: 03AE7957
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                          • String ID:
                                                                          • API String ID: 2579439406-0
                                                                          • Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                          • Instruction ID: 9c7bf2fc88326d2456d0059de07c627a0ef03b8d5c5a5881e02afa02f7151c36
                                                                          • Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                          • Instruction Fuzzy Hash: 0D21CCB8818224EFE702DF69C9C96597BF4BB0A325F40901AE5098B361EBB5D5C0CF90
                                                                          Function 6BD67F5D Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD68264
                                                                            • Part of subcall function 6BD7B9D8: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6BD7906B,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6BD7BA00
                                                                          • SetRectEmpty.USER32(?), ref: 6BD682F2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: RectWindow$Empty
                                                                          • String ID: @
                                                                          • API String ID: 650961088-2766056989
                                                                          • Opcode ID: 60eab6ba992617226c5158c3fa9cfb2205bbbc705fa04cbff8fb7e2d78d04caa
                                                                          • Instruction ID: 0bbffcf8fdd2c33aa1165ae2ec1de99e2ad8fedfe6474fd6fc3ba1788f062075
                                                                          • Opcode Fuzzy Hash: 60eab6ba992617226c5158c3fa9cfb2205bbbc705fa04cbff8fb7e2d78d04caa
                                                                          • Instruction Fuzzy Hash: 71E13A71E00219DFDB14CFA8C995AEEBBB5FF49360F14416AE815BB340EB35A941CB60
                                                                          Function 6BEBED8C Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BEBEE7C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FileFindFirst
                                                                          • String ID:
                                                                          • API String ID: 1974802433-0
                                                                          • Opcode ID: 8503da4e58ad06aa9a46f0b9373756855252dc2c397c1d71aabae1030dd8f721
                                                                          • Instruction ID: 9edd8ace89acbdceaff6f46c6c76affd99b2221e9fc20244541daaf1073b1ca8
                                                                          • Opcode Fuzzy Hash: 8503da4e58ad06aa9a46f0b9373756855252dc2c397c1d71aabae1030dd8f721
                                                                          • Instruction Fuzzy Hash: C871F471C195599FDF209F38CD89AEAB7B9AB05308F2045EEE01DA7210DB398E949F50
                                                                          Function 6BD82B1D Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Parent$H_prolog3Iconic
                                                                          • String ID:
                                                                          • API String ID: 881905488-0
                                                                          • Opcode ID: 574f9003156feee8c703d78d7b4d70b8a26a0ce0f40e5c440575658f78d531a7
                                                                          • Instruction ID: 2710c27ee5dd15f006a0f82aa95d9d8a1034c5c28c8abc69ed77bd335041fa95
                                                                          • Opcode Fuzzy Hash: 574f9003156feee8c703d78d7b4d70b8a26a0ce0f40e5c440575658f78d531a7
                                                                          • Instruction Fuzzy Hash: BA21DE32601205EBCF116F74C805B9E7B62FF4437AF004568FC55AF124EB39E911ABA0
                                                                          Function 6BD6CCFE Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • GetKeyState.USER32(00000010), ref: 6BD6CD1B
                                                                          • GetKeyState.USER32(00000011), ref: 6BD6CD28
                                                                          • GetKeyState.USER32(00000012), ref: 6BD6CD35
                                                                          • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6BD6CD4F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: State$LongMessageSendWindow
                                                                          • String ID:
                                                                          • API String ID: 1063413437-0
                                                                          • Opcode ID: d3f57f7d0bb638f8ba74d5e5d23a4bfa4e49f721e7de17022a9275089bda05ed
                                                                          • Instruction ID: 016eb9e6d145ba694433b4777bbb56fa661b5221a3d13a89f937eaab6a251969
                                                                          • Opcode Fuzzy Hash: d3f57f7d0bb638f8ba74d5e5d23a4bfa4e49f721e7de17022a9275089bda05ed
                                                                          • Instruction Fuzzy Hash: F7F0243239022557EE102B314C06BAA6E246B41BE9F850931A64BED0E0EF98C90169B0
                                                                          Function 6BD3FD80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111encryptionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CryptStringToBinaryA.CRYPT32 ref: 6BD3FE00
                                                                          • CryptStringToBinaryA.CRYPT32 ref: 6BD3FEA7
                                                                            • Part of subcall function 6BEA1DA1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BD7CEF4,?,?,?,?,6BD7CEF4,?,6BF1FD2C), ref: 6BEA1E02
                                                                          Strings
                                                                          • Failed to calculate base64 decoded size., xrefs: 6BD3FE15
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: BinaryCryptString$ExceptionRaise
                                                                          • String ID: Failed to calculate base64 decoded size.
                                                                          • API String ID: 754323452-3365390155
                                                                          • Opcode ID: 04b3942515a64213ab1e36319a237006c883233f18401a568a9caf4ab7af363f
                                                                          • Instruction ID: aa67adbb8fff05efab8a44c7f3316ff1f9a8d41fe9a844b28fac080955ec7e2d
                                                                          • Opcode Fuzzy Hash: 04b3942515a64213ab1e36319a237006c883233f18401a568a9caf4ab7af363f
                                                                          • Instruction Fuzzy Hash: 7E4149B4D043188FCB00EFA8D55579EBBF4BF49314F00852DE849AB391D7399A48CBA2
                                                                          Function 6BD60AC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,0000007C,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60ADC
                                                                          • GetLastError.KERNEL32(6BD6F2FD,0000007C,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60B13
                                                                            • Part of subcall function 6BD60CEA: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60D9A
                                                                            • Part of subcall function 6BD60CEA: SetLastError.KERNEL32(0000006F,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60DAE
                                                                          Strings
                                                                          • IsolationAware function called after IsolationAwareCleanup, xrefs: 6BD60AD7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$DebugFileModuleNameOutputString
                                                                          • String ID: IsolationAware function called after IsolationAwareCleanup
                                                                          • API String ID: 3265401609-2690750368
                                                                          • Opcode ID: fe75afd570ea84cd26238d31ed7ad5c846f673833c2d792fa90b47d358c712da
                                                                          • Instruction ID: 734f6a6fa90601d32f9d8ffe5bbf53ba31e856cd09d33bf53ff19c601c23fb77
                                                                          • Opcode Fuzzy Hash: fe75afd570ea84cd26238d31ed7ad5c846f673833c2d792fa90b47d358c712da
                                                                          • Instruction Fuzzy Hash: 0EF0C231656220D75F2C1BACC9C272A339BAA067F8F60486AFA11CD120F778D440E7E0
                                                                          Function 6BEC58C1 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6BEC5915
                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6BEC595F
                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6BEC5A25
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 04974fad579245d6e6d5a29ed4781310474760019eb24acfd2c27ff1345da23d
                                                                          • Instruction ID: c7217718add472075276229858e25144cfc9de7c214b075c6c0898a736c9018b
                                                                          • Opcode Fuzzy Hash: 04974fad579245d6e6d5a29ed4781310474760019eb24acfd2c27ff1345da23d
                                                                          • Instruction Fuzzy Hash: 446193719501179FDB148F29CE83BAB77E8EF04718F2042BADA29C6680E77CD951CB51
                                                                          Function 6BEB19D8 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6BEB1AD0
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6BEB1ADA
                                                                          • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,?), ref: 6BEB1AE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                          • String ID:
                                                                          • API String ID: 3906539128-0
                                                                          • Opcode ID: 1e0948c7a2ee58d7b141d06373c8183d518c8baf21ca40c1fbd9404162d6513f
                                                                          • Instruction ID: 7c581f3d5e7972b61d4225b7c3c94a533421ff6759792494286eb2f487f30c89
                                                                          • Opcode Fuzzy Hash: 1e0948c7a2ee58d7b141d06373c8183d518c8baf21ca40c1fbd9404162d6513f
                                                                          • Instruction Fuzzy Hash: 2731E57491122DABCB21DF64D9897CCBBB8BF08314F6041EAE41CAB250EB749B85CF45
                                                                          Function 6BD72D84 Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: IconicVisibleWindow
                                                                          • String ID:
                                                                          • API String ID: 1797901696-0
                                                                          • Opcode ID: 46a74a8923be09407690fa43929e90355eaf8d3ec1721d99838412e128eb4bff
                                                                          • Instruction ID: 4f3711980a9e62c0717a39a1d03fee1c218df4962ec9ba41ff6a1c19b124a85d
                                                                          • Opcode Fuzzy Hash: 46a74a8923be09407690fa43929e90355eaf8d3ec1721d99838412e128eb4bff
                                                                          • Instruction Fuzzy Hash: E9F02E3371042067C925777C8C01DEEB25DAF876347050237EE68DB0E0DBA49C5516D0
                                                                          Function 6BD66D7F Relevance: 3.0, APIs: 2, Instructions: 20windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: IconicVisibleWindow
                                                                          • String ID:
                                                                          • API String ID: 1797901696-0
                                                                          • Opcode ID: fff33e590e74873ae078a62fd84f500656fb43cbb362493acbd1e163e6d36aea
                                                                          • Instruction ID: bdfc0a18bb0c11dd2e5729d9f75b09bc19dd51561acded979bff3622e662e95d
                                                                          • Opcode Fuzzy Hash: fff33e590e74873ae078a62fd84f500656fb43cbb362493acbd1e163e6d36aea
                                                                          • Instruction Fuzzy Hash: CFE08C32320111DBCE055B28D848BACB776BF8926174500B6E809C7234FB24DC91AF80
                                                                          Function 03AF0CB5 Relevance: 1.8, Strings: 1, Instructions: 517COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: cca1051eebb1169d587f4373fdd59888663e8c0004b99c560278c0417d3c94b7
                                                                          • Instruction ID: 1e9f7824df783b99cdd129d5d52c86c71a953a0d529f0eb2d4795847b96ecf8a
                                                                          • Opcode Fuzzy Hash: cca1051eebb1169d587f4373fdd59888663e8c0004b99c560278c0417d3c94b7
                                                                          • Instruction Fuzzy Hash: E012B676E105198FDF04CFA8D8902EDB7B2FBC8324F25866EE922B7295C7716905CB50
                                                                          Function 6BD7CEF5 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BD7CF0B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FeaturePresentProcessor
                                                                          • String ID:
                                                                          • API String ID: 2325560087-0
                                                                          • Opcode ID: 5537723725bf00c2513386739b59d1397549a185ffe84857444b09daa71dba5a
                                                                          • Instruction ID: 0f2cb7d98005ed9fda14db26551a44689f887e5563a1e420f2abf5c0147709f6
                                                                          • Opcode Fuzzy Hash: 5537723725bf00c2513386739b59d1397549a185ffe84857444b09daa71dba5a
                                                                          • Instruction Fuzzy Hash: 6BA168B1965605DFDB24EF64C881799BBF2FB4A320F24816BD811EB2A0C778E545CF90
                                                                          Function 6BEBECDB Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BEB41BA: HeapAlloc.KERNEL32(00000008,2]k,?,?,6BEB9230,00000001,00000364,?,00000006,000000FF,?,?,6BEB5D32,?,6BD35477), ref: 6BEBC2E9
                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BEBEE7C
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 6BEBEF70
                                                                          • FindClose.KERNEL32(00000000), ref: 6BEBEFAF
                                                                          • FindClose.KERNEL32(00000000), ref: 6BEBEFE2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                          • String ID:
                                                                          • API String ID: 2701053895-0
                                                                          • Opcode ID: fab231f9a7f99e5873d8d77bfba9c264990991adf861d4da1fb16dce358e7853
                                                                          • Instruction ID: 6b7bdf4b5d6ef9973aaa133760adf61a5fcfbb4473b4b3646232d25ff08bbad3
                                                                          • Opcode Fuzzy Hash: fab231f9a7f99e5873d8d77bfba9c264990991adf861d4da1fb16dce358e7853
                                                                          • Instruction Fuzzy Hash: 1B515571914519AFDB108F388E85ABE77B9EF85218F3045EDE418A7300EB388D569B60
                                                                          Function 000218A4 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000218BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FeaturePresentProcessor
                                                                          • String ID:
                                                                          • API String ID: 2325560087-0
                                                                          • Opcode ID: bc28de7a02d4bba52f48f48a3ff5b17b8d68e7dd6e605b71a125e67660062582
                                                                          • Instruction ID: 61647478b198fabd08c84b84fedb58d40a0dd35602e0e62eaf384cba9a4433e1
                                                                          • Opcode Fuzzy Hash: bc28de7a02d4bba52f48f48a3ff5b17b8d68e7dd6e605b71a125e67660062582
                                                                          • Instruction Fuzzy Hash: 3E519CB1A012158BEB24CF54E8E1BAEBBF4FB58310F24892AC445EB250D3799A41CB60
                                                                          Function 6BEC5B73 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6BEC5BC7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: dcdb3fbc72575f53f91a667510b6d5cbdbe4b8220a207d4f0823f84493b3ed16
                                                                          • Instruction ID: 736bbfeba1e3f58610cfa1f42fa233cde0b600fe6b08572686895617e52ee1a2
                                                                          • Opcode Fuzzy Hash: dcdb3fbc72575f53f91a667510b6d5cbdbe4b8220a207d4f0823f84493b3ed16
                                                                          • Instruction Fuzzy Hash: D521F272A14206ABDB189B24DE42EBB77E8EF44718F2000BEEE11C6241EB7CD911CB51
                                                                          Function 6BEC5826 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumSystemLocalesW.KERNEL32(6BEC58C1,00000001,00000000,?,-00000050,?,6BEC56B1,00000000,-00000002,00000000,?,00000055,?), ref: 6BEC5898
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EnumLocalesSystem
                                                                          • String ID:
                                                                          • API String ID: 2099609381-0
                                                                          • Opcode ID: 5cc32a5db154928d06cc04de9e82b25d638db0f2e500dc6bc958a67f3fd73572
                                                                          • Instruction ID: 9fb22723fe04576c5518fc702a38a93f3cedbaaf31b0c2cbb24d8e62b17fcfcb
                                                                          • Opcode Fuzzy Hash: 5cc32a5db154928d06cc04de9e82b25d638db0f2e500dc6bc958a67f3fd73572
                                                                          • Instruction Fuzzy Hash: 7F11293B6047055FDB089F38C99266BB7E1FF80358B25443CDA5647700D375B542CB40
                                                                          Function 6BEC5E40 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6BEC5ADD,00000000,00000000,?), ref: 6BEC5E6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 0b46db4eab8d13f442f53eadca6df721e0d84b1b7e23a882a275511f5d0876d0
                                                                          • Instruction ID: 0b8f1ec5cdc7b0f64e9ab2742d6988991b42b7ff5047be8aa785b523bae965b0
                                                                          • Opcode Fuzzy Hash: 0b46db4eab8d13f442f53eadca6df721e0d84b1b7e23a882a275511f5d0876d0
                                                                          • Instruction Fuzzy Hash: 5A01DB36610212AFDB184734CD07BBB3794EF40758F214469ED26A3280EB78ED51C691
                                                                          Function 6BEC5B14 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumSystemLocalesW.KERNEL32(6BEC5B73,00000001,?,?,-00000050,?,6BEC5679,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 6BEC5B5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EnumLocalesSystem
                                                                          • String ID:
                                                                          • API String ID: 2099609381-0
                                                                          • Opcode ID: 046e0892ba5d06baa9d15e8ef267d08e1e7d6a11d9dd19c17a8e95294cfc161d
                                                                          • Instruction ID: 9fd6cb4e408bd2602e6877176b7e420ec2ea722c1fd8642b05c90a1e4dcddb15
                                                                          • Opcode Fuzzy Hash: 046e0892ba5d06baa9d15e8ef267d08e1e7d6a11d9dd19c17a8e95294cfc161d
                                                                          • Instruction Fuzzy Hash: BEF046362043041FD7184F359D82A6B7FD0EF8036CF25446DFA114B680D7B59842D760
                                                                          Function 6BD6E40E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Iconic
                                                                          • String ID:
                                                                          • API String ID: 110040809-0
                                                                          • Opcode ID: 6e15ac000792bfbe7ac2f214ca8cdf3d171f3b9991d1621f8f52758307dd62f7
                                                                          • Instruction ID: 4f1919d25b06f623d762e17cb72343a6c0eecefed4f7fd451dd2de9c747c3fe2
                                                                          • Opcode Fuzzy Hash: 6e15ac000792bfbe7ac2f214ca8cdf3d171f3b9991d1621f8f52758307dd62f7
                                                                          • Instruction Fuzzy Hash: C4D0C931224661CFC7519B65F844BC273E6BF49765F0104AAD08689460E6A9F8C0DA40
                                                                          Function 00021764 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00001770,000210D3), ref: 00021769
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 820f74a876ac7edbd6fd730b0338a772056c0ae38bb2f8772e5092a16f1475d2
                                                                          • Instruction ID: 72f4e71403ef172630e9f4d921635a31af2f3fb1bf2705bb2136757d700a6015
                                                                          • Opcode Fuzzy Hash: 820f74a876ac7edbd6fd730b0338a772056c0ae38bb2f8772e5092a16f1475d2
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 6BD5EB80 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: "
                                                                          • API String ID: 0-123907689
                                                                          • Opcode ID: 57b569de983a09754c94dcf55c5223a1ecc920047799b49ae8e10de60dc1e462
                                                                          • Instruction ID: 3b31f2151ec05adefd88c474f1438d5ed46445bff272d5097fa636cb77d4d4a5
                                                                          • Opcode Fuzzy Hash: 57b569de983a09754c94dcf55c5223a1ecc920047799b49ae8e10de60dc1e462
                                                                          • Instruction Fuzzy Hash: 435128B5D002589FCF00DFE8C5846DEBBF0AF1A324F20515AE464AB390C339AA55DB61
                                                                          Function 6BD54550 Relevance: .6, Instructions: 601COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8dec3909d15c1344e35ca7003123d7ca5035a53eff64a7bf97246b3d7a2f235a
                                                                          • Instruction ID: d2511c2694d1b01af9fc9da12e69b44c67844e4b2669f9b7020ffa15a073c36c
                                                                          • Opcode Fuzzy Hash: 8dec3909d15c1344e35ca7003123d7ca5035a53eff64a7bf97246b3d7a2f235a
                                                                          • Instruction Fuzzy Hash: 1852DE75605B408FC764CF38C581BD6BBE1AB4A320F048A5EE5EA8B3A1D734B960DF51
                                                                          Function 03AE2487 Relevance: .5, Instructions: 479COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c01553f6f512b2846d959305e748f2a9f08dd86951aa6911af8f98a71cd808d6
                                                                          • Instruction ID: b32642585e8d074215e2240b1aac7ca21c9f583ab2e924a1605af0b597f9a665
                                                                          • Opcode Fuzzy Hash: c01553f6f512b2846d959305e748f2a9f08dd86951aa6911af8f98a71cd808d6
                                                                          • Instruction Fuzzy Hash: 562216B4A00B058FDB24DF69C584B9ABBF5FF48300F148A6ED89A9B751D330E981CB50
                                                                          Function 6BD54EC0 Relevance: .3, Instructions: 335COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: af6b434ac22defbc48b9efaae13f14f6a07cb9873aa3c70e16c2a87b9ff633a8
                                                                          • Instruction ID: a93c4a1cd055114ffa7d75e23823d7ffb4c607e30fdb5b3c25ed35311acf5471
                                                                          • Opcode Fuzzy Hash: af6b434ac22defbc48b9efaae13f14f6a07cb9873aa3c70e16c2a87b9ff633a8
                                                                          • Instruction Fuzzy Hash: 82F1D77560D380CFD761CF28C441B8EBBE1AB8A324F148A1EE5E99B391D7349955CB23
                                                                          Function 6BEAA2C4 Relevance: .2, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3da101049cddbaf93681a664e7ad6505b27b99af821381890a7b18226996e96
                                                                          • Instruction ID: 25717ceb84e058339092573e65c8871c16b7d951ec27c41f4740c91fb8919989
                                                                          • Opcode Fuzzy Hash: a3da101049cddbaf93681a664e7ad6505b27b99af821381890a7b18226996e96
                                                                          • Instruction Fuzzy Hash: 23518272D40219EFDF04CF99C850AEEBBB6FF88304F198499E915AB301D7399A51CB90
                                                                          Function 03AE0AE4 Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                          • Instruction ID: 8470bd2ee0395bc7bf5ff4437524883c357267ec8846ebf038a0e6aa299446f4
                                                                          • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                          • Instruction Fuzzy Hash: 92317A76A083468FC310DF59C480826F7F5FF89218F1A096EE89597312D3B4F9558B91
                                                                          Function 6BEA26A0 Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                          • Instruction ID: 38f1342c26d928aa5e6d43a864eb9ebf43cbd9b560f29a459125cdc65974adee
                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                          • Instruction Fuzzy Hash: 77112B7724608243D600852FC8B46A6B39EEBF972C73943FAE0616F754D12BF275A904
                                                                          Function 6BDE1E33 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE1E3D
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,6BF17A80,00000000,6BF17E58,00000000,6BF15250,00000000,?,?,00000A88,6BDE42E9,?,00000000,00000038), ref: 6BDE1EDC
                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6BF15250,00000000,?,?,00000A88,6BDE42E9,?,00000000,00000038), ref: 6BDE1F8F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: File$CreateH_prolog3_ModuleName
                                                                          • String ID:
                                                                          • API String ID: 3408945735-3916222277
                                                                          • Opcode ID: eb617a120094cb56312f43570fe6f8d8d3e3b0f52ea42dc58bf14c53f41fa138
                                                                          • Instruction ID: 90cf75e25a093e961ff77c9c176d18431e42d1c82f5da368e43859454c026fe0
                                                                          • Opcode Fuzzy Hash: eb617a120094cb56312f43570fe6f8d8d3e3b0f52ea42dc58bf14c53f41fa138
                                                                          • Instruction Fuzzy Hash: 23C18D72A00219EBDF209F60CC45FAA77B8EF4A324F0005A4F909AA150DB789F85DF71
                                                                          Function 6BD5FFCD Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 43registryclipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegisterClipboardFormatW.USER32(Native), ref: 6BEA11B6
                                                                          • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6BEA11C3
                                                                          • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6BEA11D1
                                                                          • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6BEA11DF
                                                                          • RegisterClipboardFormatW.USER32(Embed Source), ref: 6BEA11ED
                                                                          • RegisterClipboardFormatW.USER32(Link Source), ref: 6BEA11FB
                                                                          • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6BEA1209
                                                                          • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6BEA1217
                                                                          • RegisterClipboardFormatW.USER32(FileName), ref: 6BEA1225
                                                                          • RegisterClipboardFormatW.USER32(FileNameW), ref: 6BEA1233
                                                                          • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6BEA1241
                                                                          • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6BEA124F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClipboardFormatRegister
                                                                          • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                          • API String ID: 1228543026-2889995556
                                                                          • Opcode ID: f52fa63e9ef90b6634c4252eacb5a115472576504f06605835e5051dfd1c6260
                                                                          • Instruction ID: 9b9c309f0ec22282c7e98007e8e18c93de467ed6c1de3ef16e917239d4136e5c
                                                                          • Opcode Fuzzy Hash: f52fa63e9ef90b6634c4252eacb5a115472576504f06605835e5051dfd1c6260
                                                                          • Instruction Fuzzy Hash: F8118A728147909FCF289FBD940D54A7EA0BB166093818D29E146DB530DA3AD848CF50
                                                                          Function 6BD9DA04 Relevance: 40.8, APIs: 27, Instructions: 324COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B6AC: GetWindowLongW.USER32(?,000000EC), ref: 6BD7B6B9
                                                                          • GetClientRect.USER32(00000000,?), ref: 6BD9DA6F
                                                                          • CopyRect.USER32(?,?), ref: 6BD9DA9C
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA1), ref: 6BD63B5F
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA9), ref: 6BD63B6C
                                                                          • IntersectRect.USER32(?,?,?), ref: 6BD9DAEF
                                                                          • SetRectEmpty.USER32(?), ref: 6BD9DAFD
                                                                          • IntersectRect.USER32(?,?,?), ref: 6BD9DB26
                                                                          • SetRectEmpty.USER32(?), ref: 6BD9DB34
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DB3E
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DB4C
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD9DB6E
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD9DB91
                                                                          • UnionRect.USER32(?,?,?), ref: 6BD9DBAD
                                                                          • EqualRect.USER32(?,?), ref: 6BD9DBBB
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD9DC4F
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DCB0
                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6BD9DCCC
                                                                          • RedrawWindow.USER32(00000000,?,00000000,00000185), ref: 6BD9DCE0
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DCF4
                                                                          • EqualRect.USER32(?,?), ref: 6BD9DD06
                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6BD9DD22
                                                                          • RedrawWindow.USER32(00000000,?,00000000,00000185), ref: 6BD9DD36
                                                                          • UpdateWindow.USER32(00000000), ref: 6BD9DD45
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DD8D
                                                                          • InvalidateRect.USER32(00000000,?,00000001), ref: 6BD9DDA0
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9DDAA
                                                                          • EqualRect.USER32(?,?), ref: 6BD9DDBC
                                                                          • InvalidateRect.USER32(00000000,?,00000001), ref: 6BD9DDCF
                                                                          • UpdateWindow.USER32(00000000), ref: 6BD9DDD8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
                                                                          • String ID:
                                                                          • API String ID: 4119827998-0
                                                                          • Opcode ID: ac33e4572a38c6b9dbb303c449f8ac697e954cb07949f019fd9e38bebffdd25c
                                                                          • Instruction ID: f387be3a489407583a933c87886eb771efe73bc0bff08f7ef07f919e692c2752
                                                                          • Opcode Fuzzy Hash: ac33e4572a38c6b9dbb303c449f8ac697e954cb07949f019fd9e38bebffdd25c
                                                                          • Instruction Fuzzy Hash: E4D13872900209EFDF01DFA4C949BDEB7B9BF0A314F1145A5E909EB151DB75AA88CF20
                                                                          Function 6BD62974 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD6297B
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD629D0
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD629E8
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD62A00
                                                                          • GetObjectW.GDI32(00000004,00000018,?), ref: 6BD62A20
                                                                          • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6BD62A46
                                                                          • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6BEDDA40), ref: 6BD62A69
                                                                          • CreatePatternBrush.GDI32(?), ref: 6BD62A7B
                                                                          • DeleteObject.GDI32(?), ref: 6BD62AAA
                                                                          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6BD62ABB
                                                                          • GetPixel.GDI32(?,00000000,00000000), ref: 6BD62B03
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6BD62B29
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6BD62B51
                                                                          • FillRect.USER32(?,?,?), ref: 6BD62BB3
                                                                            • Part of subcall function 6BD63C00: __EH_prolog3.LIBCMT ref: 6BD63C07
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6BD62BE1
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6BD62BFC
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6BD62C13
                                                                          • DeleteDC.GDI32(00000000), ref: 6BD62C80
                                                                          • DeleteDC.GDI32(00000000), ref: 6BD62C9C
                                                                          • DeleteDC.GDI32(00000000), ref: 6BD62CBB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
                                                                          • String ID:
                                                                          • API String ID: 308707564-0
                                                                          • Opcode ID: c69f2f1d4f45b8a950c4db04cf75d28a09c79309ac0964bd1b92984d8aa50adc
                                                                          • Instruction ID: 7bfd403fa14b05a642834174eaffb1b29bc3960b2ef5e0a44ca4fd7630ba218a
                                                                          • Opcode Fuzzy Hash: c69f2f1d4f45b8a950c4db04cf75d28a09c79309ac0964bd1b92984d8aa50adc
                                                                          • Instruction Fuzzy Hash: 1EB1D5B1D00208AFDF119FE5CD86AEEBB79FF08398F504029E515AA160EB359E15DF60
                                                                          Function 6BDE3E27 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE3E31
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BDE3E79
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 6BDE3E9A
                                                                          • SelectObject.GDI32(?,?), ref: 6BDE3ED5
                                                                          • CreateCompatibleDC.GDI32(?), ref: 6BDE3F02
                                                                          • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6BDE3F6A
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE3F81
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE3F93
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE3FAA
                                                                          • DeleteObject.GDI32(?), ref: 6BDE3FB6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
                                                                          • String ID: $(
                                                                          • API String ID: 1429849173-55695022
                                                                          • Opcode ID: 1ac3942a03919726322e91b1bbbadcc264ea5872028337a4ee977d2c50609683
                                                                          • Instruction ID: 6a1f59db4cd6ab7c76c9b164ab40741764ebcb35130b4c8b7d9a3dec5938d97f
                                                                          • Opcode Fuzzy Hash: 1ac3942a03919726322e91b1bbbadcc264ea5872028337a4ee977d2c50609683
                                                                          • Instruction Fuzzy Hash: F7B15C30D00229DFDF25CF65CC45BAEBBB5BF55310F0181EAE949AA251EB348A85DF60
                                                                          Function 6BD6B833 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • GetParent.USER32(?), ref: 6BD6B874
                                                                          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6BD6B896
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD6B8BA
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6BD6B8DA
                                                                          • MonitorFromWindow.USER32(00000000,00000001), ref: 6BD6B913
                                                                          • GetMonitorInfoW.USER32(00000000), ref: 6BD6B91A
                                                                          • CopyRect.USER32(?,?), ref: 6BD6B928
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD6B935
                                                                          • MonitorFromWindow.USER32(00000000,00000002), ref: 6BD6B942
                                                                          • GetMonitorInfoW.USER32(00000000), ref: 6BD6B949
                                                                          • CopyRect.USER32(?,?), ref: 6BD6B957
                                                                          • GetParent.USER32(?), ref: 6BD6B961
                                                                          • GetClientRect.USER32(00000000,?), ref: 6BD6B96E
                                                                          • GetClientRect.USER32(00000000,?), ref: 6BD6B979
                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6BD6B987
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
                                                                          • String ID: (
                                                                          • API String ID: 3610148278-3887548279
                                                                          • Opcode ID: 109c0c50f001cc828240e7e4bfef0cc28445007f82b1f74cb6296b7ea4e6a7ef
                                                                          • Instruction ID: d77285d0e4e76f5f07346346554987eb4b35c13f74ad1456c352c985755d4bbb
                                                                          • Opcode Fuzzy Hash: 109c0c50f001cc828240e7e4bfef0cc28445007f82b1f74cb6296b7ea4e6a7ef
                                                                          • Instruction Fuzzy Hash: 56616A729002099FCF01CFA8C98ABEEB7B9EF49354F554225F501EB290EB34A9458B60
                                                                          Function 6BD80535 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD8053C
                                                                          • CreateRectRgnIndirect.GDI32(?), ref: 6BD80574
                                                                          • CopyRect.USER32(?,?), ref: 6BD80588
                                                                          • InflateRect.USER32(?,?,?), ref: 6BD8059E
                                                                          • IntersectRect.USER32(?,?,?), ref: 6BD805AA
                                                                          • CreateRectRgnIndirect.GDI32(?), ref: 6BD805B4
                                                                          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6BD805C9
                                                                          • CombineRgn.GDI32(?,?,?,00000003), ref: 6BD805E3
                                                                          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6BD8062A
                                                                          • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6BD80647
                                                                          • CopyRect.USER32(?,?), ref: 6BD80652
                                                                          • InflateRect.USER32(?,?,?), ref: 6BD80668
                                                                          • IntersectRect.USER32(?,?,?), ref: 6BD80674
                                                                          • SetRectRgn.GDI32(?,?,?,?,?), ref: 6BD80689
                                                                          • CombineRgn.GDI32(?,?,?,00000003), ref: 6BD8069A
                                                                          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6BD806AE
                                                                          • CombineRgn.GDI32(?,?,?,00000003), ref: 6BD806C8
                                                                            • Part of subcall function 6BD80491: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6BD804D8
                                                                            • Part of subcall function 6BD80491: CreatePatternBrush.GDI32(00000000), ref: 6BD804E5
                                                                            • Part of subcall function 6BD80491: DeleteObject.GDI32(00000000), ref: 6BD804F1
                                                                          • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6BD80726
                                                                            • Part of subcall function 6BD63083: SelectObject.GDI32(?,00000000), ref: 6BD630A3
                                                                            • Part of subcall function 6BD63083: SelectObject.GDI32(?,00000000), ref: 6BD630B9
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD634FA
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD63510
                                                                          • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6BD80789
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
                                                                          • String ID:
                                                                          • API String ID: 770706554-0
                                                                          • Opcode ID: c87b6cf7fbe4939a8207e9910f13e0d7c53c5d62b2f9422907deb94d8aa795e9
                                                                          • Instruction ID: 52b5852de91fc13779e85e50343c79939d1b419dc1a9fe53484c5f78ba8c5b15
                                                                          • Opcode Fuzzy Hash: c87b6cf7fbe4939a8207e9910f13e0d7c53c5d62b2f9422907deb94d8aa795e9
                                                                          • Instruction Fuzzy Hash: 6991F3B2910219AFCF05DFA4CC95DEEBBB9FF48310F114429F916AB250DB38A914CB60
                                                                          Function 6BDC650A Relevance: 27.3, APIs: 18, Instructions: 337windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InflateRect.USER32(?,00000004,00000004), ref: 6BDC6563
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BDC6575
                                                                          • UpdateWindow.USER32(?), ref: 6BDC657E
                                                                          • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6BDC65BF
                                                                          • DispatchMessageW.USER32(?), ref: 6BDC65D1
                                                                          • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6BDC65E1
                                                                          • GetCapture.USER32 ref: 6BDC65EB
                                                                          • SetCapture.USER32(?), ref: 6BDC65FC
                                                                          • GetCapture.USER32 ref: 6BDC6608
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDC6630
                                                                          • SetCursorPos.USER32(?,?), ref: 6BDC6657
                                                                          • GetCapture.USER32 ref: 6BDC665D
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6BDC6676
                                                                          • DispatchMessageW.USER32(?), ref: 6BDC66A0
                                                                          • ReleaseCapture.USER32 ref: 6BDC66E0
                                                                          • IsWindow.USER32(?), ref: 6BDC66E9
                                                                          • SendMessageW.USER32(8589084D,00000010,00000000,00000000), ref: 6BDC6702
                                                                          • SetTimer.USER32(?,0000EC05,00000000), ref: 6BDCA1BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendTimerUpdate
                                                                          • String ID:
                                                                          • API String ID: 3094444671-0
                                                                          • Opcode ID: 3aefd7ee69dfac7549a0172919d6513e9323f05743aca1e9ddea645401887106
                                                                          • Instruction ID: dc1c73d2d5ee4a48ba6f1d93243d62653d84d7754d84e29b08209899d456257a
                                                                          • Opcode Fuzzy Hash: 3aefd7ee69dfac7549a0172919d6513e9323f05743aca1e9ddea645401887106
                                                                          • Instruction Fuzzy Hash: 09B1B135A10215EBDF149BB8C859BBE7BB9EF46720F200469E901EF690DF38D905CB61
                                                                          Function 6BD6EB1F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #32768$AfxOldWndProc423
                                                                          • API String ID: 0-2141921550
                                                                          • Opcode ID: 87a8de3b18943036bfcc936f05acaa1a1570bc0b7169c1c6dbfd13dbcc24e646
                                                                          • Instruction ID: 6b840c166dade17c0dc028ee070f018edc10c18c046fe753acd3d4e853bc630f
                                                                          • Opcode Fuzzy Hash: 87a8de3b18943036bfcc936f05acaa1a1570bc0b7169c1c6dbfd13dbcc24e646
                                                                          • Instruction Fuzzy Hash: 3751F531960128DBCB219F64CC49FAA7B75AF057A4F0004A5F819AF191EB38DE45DFA0
                                                                          Function 6BDE391D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE3927
                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 6BDE3965
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BDE39A4
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE39C7
                                                                          • GetObjectW.GDI32(?,00000054,?), ref: 6BDE3A14
                                                                          • CreateDIBSection.GDI32(?,?), ref: 6BDE3A76
                                                                          • CreateCompatibleDC.GDI32(?), ref: 6BDE3AB0
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE3AC9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Create$CompatibleSelect$H_prolog3_Section
                                                                          • String ID: (
                                                                          • API String ID: 1338481308-3887548279
                                                                          • Opcode ID: 8b18623e8fc555977e5a193a8434dcfcf9cb892363c4d7cbb2055e414dde6368
                                                                          • Instruction ID: dd06afbb0ff4b6dc9add7563b5698dce8edcaaf39b650b0dc7cb00c49f3d407e
                                                                          • Opcode Fuzzy Hash: 8b18623e8fc555977e5a193a8434dcfcf9cb892363c4d7cbb2055e414dde6368
                                                                          • Instruction Fuzzy Hash: 78A13B75900318DFDB61CF64CC81BAAB7B5FF09320F1045A9E85DAB261EB349A85CF20
                                                                          Function 03AE2D57 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ResetEvent.KERNEL32(?), ref: 03AE2D72
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE2D7E
                                                                          • timeGetTime.WINMM ref: 03AE2D84
                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 03AE2DB1
                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03AE2DDD
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03AE2DE9
                                                                          • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03AE2E08
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03AE2E14
                                                                          • gethostbyname.WS2_32(00000000), ref: 03AE2E22
                                                                          • htons.WS2_32(?), ref: 03AE2E44
                                                                          • connect.WS2_32(?,?,00000010), ref: 03AE2E62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                          • String ID: 0u
                                                                          • API String ID: 640718063-3203441087
                                                                          • Opcode ID: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                          • Instruction ID: c7ae054155996bf49e99194a54f602e9738551bd48f489e0715068be96442dba
                                                                          • Opcode Fuzzy Hash: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                          • Instruction Fuzzy Hash: BC614071A40304AFE720DFA4DC85FAAB7B8FF49711F10461EF646AB2D0D7B1A9048B64
                                                                          Function 6BE4EFD6 Relevance: 24.4, APIs: 16, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BE4EFDD
                                                                          • GetCursorPos.USER32(?), ref: 6BE4F096
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F0CA
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F0F1
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F113
                                                                          • GetWindowRect.USER32(?,?), ref: 6BE4F141
                                                                          • GetWindowRect.USER32(?,?), ref: 6BE4F171
                                                                          • PtInRect.USER32(?,?,?), ref: 6BE4F1BE
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 6BE4F1D6
                                                                            • Part of subcall function 6BE505C2: __EH_prolog3.LIBCMT ref: 6BE505C9
                                                                            • Part of subcall function 6BE505C2: SetRectEmpty.USER32 ref: 6BE506C9
                                                                            • Part of subcall function 6BE505C2: SetRectEmpty.USER32(?), ref: 6BE506D0
                                                                          • SetRectEmpty.USER32(?), ref: 6BE4F1F9
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BE4F38A
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F3AA
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F3DD
                                                                          • PtInRect.USER32(?,00000000,00000000), ref: 6BE4F3F1
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BE4F41D
                                                                          • IsRectEmpty.USER32(?), ref: 6BE4F43C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
                                                                          • String ID:
                                                                          • API String ID: 359163869-0
                                                                          • Opcode ID: e89d2db06ae2c53f50ea2fc5e935c4773533f259bc48b7697d3661d5dca038fe
                                                                          • Instruction ID: d1644603b04800262979002f3aa138c3c8abbcaaa4d772cfe2a7ddf5626b356e
                                                                          • Opcode Fuzzy Hash: e89d2db06ae2c53f50ea2fc5e935c4773533f259bc48b7697d3661d5dca038fe
                                                                          • Instruction Fuzzy Hash: B3E1BF31A00204DFDF05CFA4D884AAE7BB6FF49714F2441AAE809EF255EB39D955CB90
                                                                          Function 6BDE5D30 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE5D37
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BDE5D65
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 6BDE5D7E
                                                                          • SelectObject.GDI32(?,?), ref: 6BDE5D9A
                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6BDE5DBB
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE5DCC
                                                                          • CreateCompatibleDC.GDI32(?), ref: 6BDE5DE6
                                                                          • SelectObject.GDI32(?,?), ref: 6BDE5DFB
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE5E0C
                                                                          • DeleteObject.GDI32(?), ref: 6BDE5E15
                                                                          • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 6BDE5E35
                                                                          • GetPixel.GDI32(?,?,00000000), ref: 6BDE5E5B
                                                                          • SetPixel.GDI32(?,?,00000000,00000000), ref: 6BDE5EA2
                                                                          • SelectObject.GDI32(?,?), ref: 6BDE5EC9
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE5ED3
                                                                          • DeleteObject.GDI32(?), ref: 6BDE5EDB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
                                                                          • String ID:
                                                                          • API String ID: 3639146769-0
                                                                          • Opcode ID: 4c53a4210816295733f0ea827c2c0d45abc902d7c2fe618261e483a51fb3d9bb
                                                                          • Instruction ID: 1483872ea9209fa27f2b479e8fee1cec2f1a9d5f5dfcea93fd784ed4d8105efc
                                                                          • Opcode Fuzzy Hash: 4c53a4210816295733f0ea827c2c0d45abc902d7c2fe618261e483a51fb3d9bb
                                                                          • Instruction Fuzzy Hash: C551897181021AEFCF118FA4CD49AAEBB75FF09BA4F000525F611AA160DB358A16DFA0
                                                                          Function 6BD8455E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyState.USER32(00000001), ref: 6BD84569
                                                                          • GetCursorPos.USER32(?), ref: 6BD8458E
                                                                          • ScreenToClient.USER32(?,?), ref: 6BD8459B
                                                                          • GetCapture.USER32 ref: 6BD8460D
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD84650
                                                                          • WindowFromPoint.USER32(?,?), ref: 6BD8465C
                                                                          • IsChild.USER32(?,?), ref: 6BD84674
                                                                          • KillTimer.USER32(?,0000EC0A), ref: 6BD846B4
                                                                          • KillTimer.USER32(?,0000EC09), ref: 6BD846DD
                                                                            • Part of subcall function 6BD6E820: GetForegroundWindow.USER32 ref: 6BD6E82D
                                                                            • Part of subcall function 6BD6E820: GetLastActivePopup.USER32(?), ref: 6BD6E83E
                                                                          • GetParent.USER32(?), ref: 6BD84734
                                                                          • IsAppThemed.UXTHEME ref: 6BD8478E
                                                                          • OpenThemeData.UXTHEME(?,REBAR), ref: 6BD847A0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
                                                                          • String ID: REBAR
                                                                          • API String ID: 214255902-925029515
                                                                          • Opcode ID: f49268654903457c2bb4b1632149d0faac076f37e34f5add6fcc8e722ea5c0de
                                                                          • Instruction ID: 9624f0a43f571f08cf0444cc8efd63d136cc4ba44a54c51cc0413ca9bb4af02d
                                                                          • Opcode Fuzzy Hash: f49268654903457c2bb4b1632149d0faac076f37e34f5add6fcc8e722ea5c0de
                                                                          • Instruction Fuzzy Hash: D061C270B00215EFDB05DF74C895AAE7BBABF45326B100569E811EB2A0EB38D901DF90
                                                                          Function 6BD74688 Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7FCA7: GetFocus.USER32 ref: 6BD7FCAB
                                                                            • Part of subcall function 6BD7FCA7: GetParent.USER32(00000000), ref: 6BD7FCCC
                                                                            • Part of subcall function 6BD7FCA7: GetWindowLongW.USER32(00000000,000000F0), ref: 6BD7FCEB
                                                                            • Part of subcall function 6BD7FCA7: GetParent.USER32(00000000), ref: 6BD7FCF9
                                                                            • Part of subcall function 6BD7FCA7: GetDesktopWindow.USER32 ref: 6BD7FD01
                                                                            • Part of subcall function 6BD7FCA7: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6BD7FD15
                                                                          • GetMenu.USER32(?), ref: 6BD74709
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD74747
                                                                          • GetSubMenu.USER32(?,00000000), ref: 6BD7475D
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD74782
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 6BD7479C
                                                                          • GetSubMenu.USER32(?,?), ref: 6BD747B8
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 6BD747D0
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD747F1
                                                                          • GetMenuItemID.USER32(?,?), ref: 6BD74827
                                                                          • SendMessageW.USER32(?,00000362,-0000E001,00000000), ref: 6BD748E3
                                                                          • UpdateWindow.USER32(?), ref: 6BD74904
                                                                          • GetKeyState.USER32(00000079), ref: 6BD74922
                                                                          • GetKeyState.USER32(00000012), ref: 6BD74933
                                                                          • GetParent.USER32(?), ref: 6BD749F5
                                                                          • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6BD74A0F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountMessageParentWindow$SendState$DesktopFocusLongPostUpdate
                                                                          • String ID:
                                                                          • API String ID: 1315724587-0
                                                                          • Opcode ID: 8dd99c4673a16684009567931fcfc39f8c26e02244d6e0f0c7201ece809c1eac
                                                                          • Instruction ID: 37d937862f885369c38b99c8c1dd7eeff819d2b2587dbda6ca8041ecc62a3d36
                                                                          • Opcode Fuzzy Hash: 8dd99c4673a16684009567931fcfc39f8c26e02244d6e0f0c7201ece809c1eac
                                                                          • Instruction Fuzzy Hash: 8CC19170A00619DFDB16AF64C985BEDBBB5BF45324F0085B9E825AF250DB38D940DF90
                                                                          Function 6BD9ED35 Relevance: 22.8, APIs: 15, Instructions: 254timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9ED6F
                                                                          • InflateRect.USER32(?,00000000,00000000), ref: 6BD9EDA9
                                                                          • SetRectEmpty.USER32(?), ref: 6BD9EE4D
                                                                          • SetRectEmpty.USER32(?), ref: 6BD9EE5A
                                                                          • GetSystemMetrics.USER32(00000002), ref: 6BD9EE7F
                                                                          • KillTimer.USER32(?,0000EC16,?,00000000,00000000), ref: 6BD9EF2F
                                                                          • EqualRect.USER32(?,?), ref: 6BD9EF4C
                                                                          • EqualRect.USER32(?,?), ref: 6BD9EF61
                                                                          • EqualRect.USER32(?,?), ref: 6BD9EFD0
                                                                          • InvalidateRect.USER32(?,?,00000001,?,00000000,00000000), ref: 6BD9EFE5
                                                                          • InvalidateRect.USER32(?,?,00000001,?,00000000,00000000), ref: 6BD9EFF6
                                                                          • EqualRect.USER32(?,?), ref: 6BD9F009
                                                                          • InvalidateRect.USER32(?,?,00000001,?,00000000,00000000), ref: 6BD9F01B
                                                                          • InvalidateRect.USER32(?,?,00000001,?,00000000,00000000), ref: 6BD9F02C
                                                                          • UpdateWindow.USER32(?), ref: 6BD9F03D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
                                                                          • String ID:
                                                                          • API String ID: 2140115980-0
                                                                          • Opcode ID: ca0e53f00d65838ab937f99745696afdc626e2592842a1d7cee0b517307e898f
                                                                          • Instruction ID: c3702a51c64f35ff51ab1a780c9164030b070ae65c1f3ebc6b1ffd1c59adc298
                                                                          • Opcode Fuzzy Hash: ca0e53f00d65838ab937f99745696afdc626e2592842a1d7cee0b517307e898f
                                                                          • Instruction Fuzzy Hash: D8A1377191011ADFCF10DF68C988AEE77B9BF09310F0545B6ED09AF215DB34A949DB60
                                                                          Function 6BD626BF Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD626C6
                                                                          • GetSysColor.USER32(00000014), ref: 6BD626FD
                                                                            • Part of subcall function 6BD62E07: __EH_prolog3.LIBCMT ref: 6BD62E0E
                                                                            • Part of subcall function 6BD62E07: CreateSolidBrush.GDI32(6BD6F2CB), ref: 6BD62E29
                                                                          • GetSysColor.USER32(00000010), ref: 6BD62712
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD62726
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD6273E
                                                                          • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6BD62761
                                                                          • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6BD62782
                                                                          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6BD627A3
                                                                            • Part of subcall function 6BD63826: SelectObject.GDI32(6BD6F2CB,?), ref: 6BD6382F
                                                                          • GetPixel.GDI32(?,00000000,00000000), ref: 6BD627EB
                                                                            • Part of subcall function 6BD63136: SetBkColor.GDI32(?,6BD6F2CB), ref: 6BD6314B
                                                                            • Part of subcall function 6BD63136: SetBkColor.GDI32(?,6BD6F2CB), ref: 6BD6315D
                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6BD62814
                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6BD6283E
                                                                          • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6BD628A9
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6BD628D2
                                                                          • DeleteDC.GDI32(00000000), ref: 6BD62947
                                                                          • DeleteDC.GDI32(00000000), ref: 6BD62966
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
                                                                          • String ID:
                                                                          • API String ID: 2254850417-0
                                                                          • Opcode ID: 7a8332728e9da26a9f2c07e3f68c22271c9681f1a1758591a21d3fa8bbf2dd58
                                                                          • Instruction ID: 4cd589c3468cb620a2f34425562cda4e39f111bad3d58e0385c4cb2f924c9dec
                                                                          • Opcode Fuzzy Hash: 7a8332728e9da26a9f2c07e3f68c22271c9681f1a1758591a21d3fa8bbf2dd58
                                                                          • Instruction Fuzzy Hash: CD812471D00208EBDF119FE0DD82AEEBF79BF18364F104029F511BA1A0EB799A55DB60
                                                                          Function 03AE4507 Relevance: 22.7, APIs: 15, Instructions: 161threadnetworksleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000064), ref: 03AE4531
                                                                          • timeGetTime.WINMM ref: 03AE4552
                                                                          • GetCurrentThreadId.KERNEL32 ref: 03AE4572
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03AE4594
                                                                          • SwitchToThread.KERNEL32 ref: 03AE45AE
                                                                          • SetEvent.KERNEL32(?), ref: 03AE45F7
                                                                          • CloseHandle.KERNEL32(?), ref: 03AE461B
                                                                          • send.WS2_32(?,10017440,00000010,00000000), ref: 03AE463F
                                                                          • SetEvent.KERNEL32(?), ref: 03AE465D
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE4668
                                                                          • WSACloseEvent.WS2_32(?), ref: 03AE4676
                                                                          • shutdown.WS2_32(?,00000001), ref: 03AE468A
                                                                          • closesocket.WS2_32(?), ref: 03AE4694
                                                                          • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 03AE46CD
                                                                          • SetLastError.KERNEL32(000005B4), ref: 03AE46E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Event$CloseErrorExchangeInterlockedLastThread$CompareCurrentHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                          • String ID:
                                                                          • API String ID: 1063552937-0
                                                                          • Opcode ID: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                          • Instruction ID: 1b206425069223b180ce78020392c4de47e0dc3c97dd657b7478889ff1b62241
                                                                          • Opcode Fuzzy Hash: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                          • Instruction Fuzzy Hash: 5F519071600721EBD725DF65C888BA9F779FF4C302F18851AE5158AA90CB79E990CBD0
                                                                          Function 6BD9E8EB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD9E8F5
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9E913
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BD9E94C
                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6BD9E9A1
                                                                          • CreateDIBSection.GDI32(?,?), ref: 6BD9EA13
                                                                          • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6BD9EA4C
                                                                          • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6BD9EA7F
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6BD9EAE7
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD9EB56
                                                                          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6BD9ECA6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                                                                          • String ID: (
                                                                          • API String ID: 2918208214-3887548279
                                                                          • Opcode ID: 20c95a20055c4ac103959e62bd5f84d632e99e4ef7d73414167076d2d55ae48e
                                                                          • Instruction ID: b8855003b67d6fd7f4d1b84dab69b24cd98658ab44b38b52152557c209315916
                                                                          • Opcode Fuzzy Hash: 20c95a20055c4ac103959e62bd5f84d632e99e4ef7d73414167076d2d55ae48e
                                                                          • Instruction Fuzzy Hash: BED12971A10619EFDF15DFA8C984AEEBBB9FF08314F10416AE519AB210D734AD48DF90
                                                                          Function 6BD98F33 Relevance: 21.3, APIs: 14, Instructions: 317windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: UpdateWindow$MessageParent$BeepClientFocusH_prolog3_ScreenSend
                                                                          • String ID:
                                                                          • API String ID: 841119998-0
                                                                          • Opcode ID: b9133a50c8c9c7f624ac2cf016afd217062b38bf6a5ca6d8583bb58821e9d432
                                                                          • Instruction ID: f8035cfb455336971298d7c6a635108e582fc8da4d5c296e575f4eec1f93130d
                                                                          • Opcode Fuzzy Hash: b9133a50c8c9c7f624ac2cf016afd217062b38bf6a5ca6d8583bb58821e9d432
                                                                          • Instruction Fuzzy Hash: FBC19E30A00615DFDF15AF74D899BAD7BB6BF49334F000269E825AF2A1DB3C9901DB90
                                                                          Function 6BDEC96E Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDEC975
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDECA5B
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                            • Part of subcall function 6BDEE67B: GetWindowRect.USER32(?,?), ref: 6BDEE689
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3RectWindow$Ctrl
                                                                          • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                                                          • API String ID: 2598721110-2628993547
                                                                          • Opcode ID: b9f69449964e4f7a8cd26f7f35ca34952c131baf539e06a773a7b545b3d9c070
                                                                          • Instruction ID: 98016391aea363b15990a098bcbe6ec925bd7715e95ecf6b125b4736a9469a00
                                                                          • Opcode Fuzzy Hash: b9f69449964e4f7a8cd26f7f35ca34952c131baf539e06a773a7b545b3d9c070
                                                                          • Instruction Fuzzy Hash: 85813E75600209DFCF04EFA4C894ABDBB76BF89314F090468E916AB3A1DB35A905DF60
                                                                          Function 6BDC7BAA Relevance: 19.9, APIs: 13, Instructions: 412windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDC7BB4
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDC7C48
                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 6BDC7C69
                                                                          • CreateCompatibleDC.GDI32(?), ref: 6BDC7C75
                                                                          • CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6BDC7C9F
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDC7CF4
                                                                          • GetClientRect.USER32(?,?), ref: 6BDC7D01
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BDC7D22
                                                                          • IsRectEmpty.USER32(?), ref: 6BDC7D52
                                                                          • SetRectEmpty.USER32(?), ref: 6BDC7DE5
                                                                          • InflateRect.USER32(?,000000FE,00000000), ref: 6BDC8065
                                                                          • CreateRectRgnIndirect.GDI32(?), ref: 6BDC7D5D
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD634FA
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD63510
                                                                          • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6BDC8147
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Create$ClipCompatibleEmptySelectWindow$BitmapClientH_prolog3_IndirectInflateOffset
                                                                          • String ID:
                                                                          • API String ID: 3231449308-0
                                                                          • Opcode ID: 47085ef9ee7169e9632e4f80674d97a60ffcc54cc890e83f19f2f0fecc02eb21
                                                                          • Instruction ID: bd2dccbbf1746d9f99de36fcbfc7a60e353a452a39c608ec2099afa82628f7dc
                                                                          • Opcode Fuzzy Hash: 47085ef9ee7169e9632e4f80674d97a60ffcc54cc890e83f19f2f0fecc02eb21
                                                                          • Instruction Fuzzy Hash: D6021671900629DFCF25DB64CD95BEDB7B9BF49310F00419AE41AAB250EB34AE85CF60
                                                                          Function 6BDA00FF Relevance: 19.8, APIs: 13, Instructions: 273windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6BDA0132
                                                                          • DispatchMessageW.USER32(?), ref: 6BDA0140
                                                                          • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6BDA014E
                                                                          • GetCapture.USER32 ref: 6BDA0158
                                                                          • SetCapture.USER32(?), ref: 6BDA016C
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDA0189
                                                                          • GetCapture.USER32 ref: 6BDA01FC
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6BDA0219
                                                                          • DispatchMessageW.USER32(?), ref: 6BDA023F
                                                                          • GetScrollPos.USER32(00000000,00000002), ref: 6BDA035C
                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 6BDA0379
                                                                          • ReleaseCapture.USER32 ref: 6BDA041B
                                                                          • IsWindow.USER32(?), ref: 6BDA0424
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Capture$Window$Dispatch$PeekRectRedrawReleaseScroll
                                                                          • String ID:
                                                                          • API String ID: 1873598099-0
                                                                          • Opcode ID: 12f178b166f8ba7506ecb5e4689bb6e26fb35176b7a849ae81430615f68c635d
                                                                          • Instruction ID: df359ca5d7c07c698d52684f3f6d78b8d7072075b36e6a34feb1d9df47d12140
                                                                          • Opcode Fuzzy Hash: 12f178b166f8ba7506ecb5e4689bb6e26fb35176b7a849ae81430615f68c635d
                                                                          • Instruction Fuzzy Hash: B7A18C31A00214CBDF14DF68C898BEE7BB5BF49760F0405B9E806AF295DB789945CBA0
                                                                          Function 6BD8D83B Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD8D842
                                                                            • Part of subcall function 6BDE17CC: __EH_prolog3.LIBCMT ref: 6BDE17D3
                                                                          • SetRectEmpty.USER32(?), ref: 6BD8D9FB
                                                                          • SetRectEmpty.USER32(?), ref: 6BD8DA8D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EmptyH_prolog3Rect
                                                                          • String ID: L~k$L~k$L~k$L~k$L~k$L~k$L~k$L~k
                                                                          • API String ID: 1443337074-590643560
                                                                          • Opcode ID: 5a73eefd72ca7ecf6dd9c4900f600b81ee59bf4d7184c96fe1b73718b9f1df6e
                                                                          • Instruction ID: fb053c25fa8b4bb8cb6a8de3f2e125f0deb3e85f87e88dcad6e62bb7fc4b22c4
                                                                          • Opcode Fuzzy Hash: 5a73eefd72ca7ecf6dd9c4900f600b81ee59bf4d7184c96fe1b73718b9f1df6e
                                                                          • Instruction Fuzzy Hash: DEA1D7B0905B45CEE364DF79C591BD6FAE0BF09318F504A6EC0AE97281DB782244CF61
                                                                          Function 6BD7ADC2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnableMenuItem.USER32(?,?,00000403), ref: 6BD7ADF2
                                                                          • GetFocus.USER32 ref: 6BD7AE0C
                                                                          • GetParent.USER32(?), ref: 6BD7AE17
                                                                          • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6BD7AE2C
                                                                          • CheckMenuItem.USER32(?,?,00000400), ref: 6BD7AE7F
                                                                          • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6BD7AE9A
                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 6BD7AEB7
                                                                          • SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6BD7AF24
                                                                          • SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6BD7AF74
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$MessageSend$BitmapsCheckEnableFocusInfoParent
                                                                          • String ID: 0$@
                                                                          • API String ID: 2977031974-1545510068
                                                                          • Opcode ID: 54f8357d9a2272f1dbc02155788dbf138526d4b24d1f686dbcb87c378b541568
                                                                          • Instruction ID: 524fbd86a27e2e54d4b4d57f08bf773a8ee8bb82dd4ce62e4eb7d34c38d208d9
                                                                          • Opcode Fuzzy Hash: 54f8357d9a2272f1dbc02155788dbf138526d4b24d1f686dbcb87c378b541568
                                                                          • Instruction Fuzzy Hash: BF519A71201605EFDB30AF25C849B9ABBB9FB00720F108979F5599F5A0D778E841CBE0
                                                                          Function 6BDEC771 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDEC778
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                            • Part of subcall function 6BDE9AC4: __EH_prolog3.LIBCMT ref: 6BDE9ACB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3$Ctrl
                                                                          • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                                                          • API String ID: 3879667756-2628993547
                                                                          • Opcode ID: 0c3489f2d3f8ab94bcc91c61165ef92c9d80fb35eefa89d09e465280a84a221b
                                                                          • Instruction ID: 1562620e3af408d79964e1f412bce47a58e0805491a39d7e5cf6dba73b22d440
                                                                          • Opcode Fuzzy Hash: 0c3489f2d3f8ab94bcc91c61165ef92c9d80fb35eefa89d09e465280a84a221b
                                                                          • Instruction Fuzzy Hash: 1F517575A00119AFCF04DF64C894AFD7B76BF89314F140459E816AB391DB39AE05CFA1
                                                                          Function 6BD96B77 Relevance: 18.4, APIs: 12, Instructions: 406timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD96B7E
                                                                          • SetCursor.USER32(?,00000048,6BD96025,00000000,00000200,00000000), ref: 6BD96C1D
                                                                            • Part of subcall function 6BD63959: __EH_prolog3.LIBCMT ref: 6BD63960
                                                                            • Part of subcall function 6BD63959: GetDC.USER32(00000000), ref: 6BD6398C
                                                                            • Part of subcall function 6BD80535: __EH_prolog3_GS.LIBCMT ref: 6BD8053C
                                                                            • Part of subcall function 6BD80535: CreateRectRgnIndirect.GDI32(?), ref: 6BD80574
                                                                            • Part of subcall function 6BD80535: CopyRect.USER32(?,?), ref: 6BD80588
                                                                            • Part of subcall function 6BD80535: InflateRect.USER32(?,?,?), ref: 6BD8059E
                                                                            • Part of subcall function 6BD80535: IntersectRect.USER32(?,?,?), ref: 6BD805AA
                                                                            • Part of subcall function 6BD80535: CreateRectRgnIndirect.GDI32(?), ref: 6BD805B4
                                                                            • Part of subcall function 6BD80535: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6BD805C9
                                                                            • Part of subcall function 6BD80535: CombineRgn.GDI32(?,?,?,00000003), ref: 6BD805E3
                                                                            • Part of subcall function 6BD80535: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6BD8062A
                                                                            • Part of subcall function 6BD80535: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6BD80647
                                                                            • Part of subcall function 6BD80535: CopyRect.USER32(?,?), ref: 6BD80652
                                                                            • Part of subcall function 6BD639AE: ReleaseDC.USER32(?,00000000), ref: 6BD639E2
                                                                          • GetFocus.USER32 ref: 6BD96CB4
                                                                          • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6BD96DA5
                                                                          • TrackMouseEvent.USER32(?,?,?,?,?,?,00000000), ref: 6BD96DDC
                                                                          • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6BD96E62
                                                                          • InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 6BD96F9D
                                                                          • InflateRect.USER32(?,00000000,?), ref: 6BD96FE3
                                                                          • RedrawWindow.USER32(?,?,00000000,00000401,?,?,?,?,?,00000000), ref: 6BD96FF6
                                                                          • KillTimer.USER32(?,0000EC07,?,?,?,?,?,00000000), ref: 6BD97085
                                                                          • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6BD970A3
                                                                          • UpdateWindow.USER32(?), ref: 6BD970CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Create$Timer$CopyH_prolog3_IndirectInflateWindow$CombineCursorEventFocusH_prolog3IntersectInvalidateKillMessageMouseRedrawReleaseSendTrackUpdate
                                                                          • String ID:
                                                                          • API String ID: 3035320136-0
                                                                          • Opcode ID: a6e0fd5a7363c13e04686ba1069d8b2671b7084b249e1f84e2bbeb20cca8fd6a
                                                                          • Instruction ID: 788b4e05ecc1a68e905f372ad8c87c7c2fc63872f0b7c3b6c022192873498731
                                                                          • Opcode Fuzzy Hash: a6e0fd5a7363c13e04686ba1069d8b2671b7084b249e1f84e2bbeb20cca8fd6a
                                                                          • Instruction Fuzzy Hash: 4EF19234A00616EFDB15EF74D894BADBBB1BF04324F104269E8299B2D0DB38A951DBD0
                                                                          Function 03AE36C7 Relevance: 18.1, APIs: 12, Instructions: 141networkstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 03AE36E7
                                                                          • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03AE3720
                                                                          • WSACreateEvent.WS2_32 ref: 03AE3752
                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 03AE3764
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 03AE3770
                                                                          • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 03AE378F
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 03AE379B
                                                                          • gethostbyname.WS2_32(00000000), ref: 03AE37A9
                                                                          • htons.WS2_32(?), ref: 03AE37CF
                                                                          • WSAEventSelect.WS2_32(?,?,00000030), ref: 03AE37ED
                                                                          • connect.WS2_32(?,?,00000010), ref: 03AE3802
                                                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 03AE3811
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharEventMultiWidelstrlen$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                          • String ID:
                                                                          • API String ID: 1463362053-0
                                                                          • Opcode ID: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                          • Instruction ID: aa9c129d5aa48df98b12a6efc9854cddc9b4bf7ff03e5b9ce8e6d3dc479c285f
                                                                          • Opcode Fuzzy Hash: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                          • Instruction Fuzzy Hash: D5416D75A40215ABEB20DBA4CC89F7FB7B8FB89711F148619FA119B2D0D671A904CB60
                                                                          Function 6BE16A93 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BE16A9A
                                                                          • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6BE16AB1
                                                                            • Part of subcall function 6BE169F0: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6BE16A67
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BE16B31
                                                                          • SelectObject.GDI32(?,00000018), ref: 6BE16B44
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BE16B62
                                                                          • SelectObject.GDI32(?,?), ref: 6BE16B77
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6BE16B96
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BE16BA4
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BE16BAE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$Create$Compatible$H_prolog3Section
                                                                          • String ID:
                                                                          • API String ID: 2431383920-3916222277
                                                                          • Opcode ID: 93a0b83eaac85075f585f4c891b6ec0e6d872bb1fe4d1bec8060d2f3f66cf22d
                                                                          • Instruction ID: d75ecca28c57647dcb977b1036fba61c830e576e84213cfac19f5921f9a4e63f
                                                                          • Opcode Fuzzy Hash: 93a0b83eaac85075f585f4c891b6ec0e6d872bb1fe4d1bec8060d2f3f66cf22d
                                                                          • Instruction Fuzzy Hash: 95418D72D04119DFDF11CFF4CC45AEEBB75EF45318F208129E911AA2A0DB798919CBA0
                                                                          Function 6BD7F9F9 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7FA00
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 6BD7FA1D
                                                                          • GetSystemMetrics.USER32(00000032), ref: 6BD7FA30
                                                                          • GetSystemMetrics.USER32(00000031), ref: 6BD7FA3B
                                                                          • GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6BD7FA7D
                                                                          • GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6BD7FAA8
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 6BD7FB10
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 6BD7FB1C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object
                                                                          • String ID: 0$@
                                                                          • API String ID: 414968830-1545510068
                                                                          • Opcode ID: 3c97e9266a4cc6ba993ddb651cc86ae63dca56795dce2c23e6481c831b004a03
                                                                          • Instruction ID: 1e21eca34d359a1b311f9de1fd8cfb578f9b63daa10fd701e1585f27ded3e62f
                                                                          • Opcode Fuzzy Hash: 3c97e9266a4cc6ba993ddb651cc86ae63dca56795dce2c23e6481c831b004a03
                                                                          • Instruction Fuzzy Hash: 2B414771910219ABDF20DFA4CC46BEEB7B8BF14764F104465E915BF291EB74AA04CBA0
                                                                          Function 03AE55C8 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$FreeVirtual
                                                                          • String ID: !jWW$.$_$i$l${vU_
                                                                          • API String ID: 974088968-3065862289
                                                                          • Opcode ID: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                          • Instruction ID: 25d65647a9ff95c2f1aff497dfac8d64834edf405e57e7c84110be6f047f2ff2
                                                                          • Opcode Fuzzy Hash: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                          • Instruction Fuzzy Hash: D8218DB4A403589FD720DF54DC80FAABBB5FF96700F0481CAE14C9A650DBB09A84CF52
                                                                          Function 6BD9E34B Relevance: 17.0, APIs: 11, Instructions: 497windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD9E352
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9E370
                                                                          • SetRectEmpty.USER32(?), ref: 6BD9E3C4
                                                                          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9E40F
                                                                          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9E498
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD9E4BD
                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6BD9E4E9
                                                                          • OffsetRect.USER32(?,00000000,00000000), ref: 6BD9E597
                                                                          • InflateRect.USER32(?,00000000,00000000), ref: 6BD9E5F5
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9E6F3
                                                                          • IsRectEmpty.USER32(?), ref: 6BD9E883
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$EmptyWindow$Points$ClientH_prolog3_InflateOffset
                                                                          • String ID:
                                                                          • API String ID: 302641110-0
                                                                          • Opcode ID: 4a7fbd061eccb45fe2ec0922f39f27cee35b7ec71722ed788b3b023ac44a803b
                                                                          • Instruction ID: 1008706b7a0b36e07d310aee7c5e690d57bf84adba4d53eba95ab5f4410401a2
                                                                          • Opcode Fuzzy Hash: 4a7fbd061eccb45fe2ec0922f39f27cee35b7ec71722ed788b3b023ac44a803b
                                                                          • Instruction Fuzzy Hash: F0128F31E10619DFDF05EFA4C844AEEBBB6FF49320F104169E815AF254DB75A909CB90
                                                                          Function 03AE4C67 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetLastError.KERNEL32(0000139F,100191B0,100151A4,?,?,00000001), ref: 03AE4C9D
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 03AE4CC4
                                                                          • SetLastError.KERNEL32(0000139F), ref: 03AE4CD8
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE4CDF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalErrorLastSection$EnterLeave
                                                                          • String ID:
                                                                          • API String ID: 2124651672-0
                                                                          • Opcode ID: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                          • Instruction ID: 3e3603ea29cf419a7abf8b5f970196de07431e8a8c778a439e2594e4016e3cd0
                                                                          • Opcode Fuzzy Hash: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                          • Instruction Fuzzy Hash: AB519176A04700DFD714DFA9D985A6AF7F4FF48711F048A6EE90A8B740E776E4008B91
                                                                          Function 6BD87AC3 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD87ACD
                                                                          • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6BD87CA5
                                                                          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6BD87E6D
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 6BD87E93
                                                                          • UpdateWindow.USER32(?), ref: 6BD87EB5
                                                                          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6BD87F72
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 6BD87F98
                                                                          • UpdateWindow.USER32(?), ref: 6BD87FBA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
                                                                          • String ID: :/\
                                                                          • API String ID: 2009545923-2793184486
                                                                          • Opcode ID: 740c639e2b67cab45642a69d11ab2231d47b8923afc5fdddd81ba22071fbc075
                                                                          • Instruction ID: d042d6ef8f900dff22677190a4c65cf1986308f5b8b69ec4cb8accf7f0565bdd
                                                                          • Opcode Fuzzy Hash: 740c639e2b67cab45642a69d11ab2231d47b8923afc5fdddd81ba22071fbc075
                                                                          • Instruction Fuzzy Hash: E6F13B316106189FCF24EF24CD99BADB7B6BF88315F1105E8D5069B2A1DB38AE49CF50
                                                                          Function 6BDDC30E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD852DD: __EH_prolog3_catch.LIBCMT ref: 6BD852E4
                                                                          • GetModuleHandleW.KERNEL32(comctl32.dll,6BDDC48D,?,00000000,?,?,6BD8C384,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC341
                                                                          • GetUserDefaultUILanguage.KERNEL32(?,?,6BD8C384,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC351
                                                                          • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6BD8C384,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC38F
                                                                          • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6BD8C384,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC3AE
                                                                          • LoadResource.KERNEL32(00000000,00000000,?,?,6BD8C384,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC3BA
                                                                            • Part of subcall function 6BDDC4CB: GetDC.USER32(00000000), ref: 6BDDC51E
                                                                            • Part of subcall function 6BDDC4CB: EnumFontFamiliesExW.GDI32(00000000,?,6BDDC4B5,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6BDDC539
                                                                            • Part of subcall function 6BDDC4CB: ReleaseDC.USER32(00000000,00000000), ref: 6BDDC541
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6BD8B1E1,?,?), ref: 6BDDC3EA
                                                                          • GlobalFree.KERNEL32(00000001), ref: 6BDDC462
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
                                                                          • String ID: MS UI Gothic$comctl32.dll
                                                                          • API String ID: 1488066090-3248924666
                                                                          • Opcode ID: ca3447cb603102dc4d70594cf8206ee55d9a430680e5e36148d1cd9f81c6b8a5
                                                                          • Instruction ID: 595abf660f9bcdad715c8f3cddf4fcc2bb089e5789a9bf6031c38196439caec2
                                                                          • Opcode Fuzzy Hash: ca3447cb603102dc4d70594cf8206ee55d9a430680e5e36148d1cd9f81c6b8a5
                                                                          • Instruction Fuzzy Hash: 1A41E231204606ABE7146B74CC46B7A73ACDF46734F148439F9A5CF280EB78E94197B1
                                                                          Function 6BD70BEA Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 6BD70BF1
                                                                          • GetPropW.USER32(?,AfxOldWndProc423), ref: 6BD70C08
                                                                          • CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6BD70C68
                                                                            • Part of subcall function 6BD70A06: GetWindowRect.USER32(?,6BD6128B), ref: 6BD70A3F
                                                                            • Part of subcall function 6BD70A06: GetWindow.USER32(?,00000004), ref: 6BD70A5C
                                                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 6BD70C8B
                                                                          • RemovePropW.USER32(?,AfxOldWndProc423), ref: 6BD70C97
                                                                          • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6BD70CA2
                                                                          • GlobalDeleteAtom.KERNEL32(?), ref: 6BD70CAC
                                                                            • Part of subcall function 6BD709E2: GetWindowRect.USER32(?,00000000), ref: 6BD709EF
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 6BD70CF4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
                                                                          • String ID: AfxOldWndProc423
                                                                          • API String ID: 3351853316-1060338832
                                                                          • Opcode ID: c1bc61d79d1b9b744a2d5462fe22d78a3d0a3503b783a4eb5d464584d66752e7
                                                                          • Instruction ID: 1da36955dab6733318bdabe7c1c635e12f08988113688b98768ade17dd050085
                                                                          • Opcode Fuzzy Hash: c1bc61d79d1b9b744a2d5462fe22d78a3d0a3503b783a4eb5d464584d66752e7
                                                                          • Instruction Fuzzy Hash: E031C171810218FBCB14AFB48D4DDEE7B79AF4A360F514429F501AA190DB399A419B70
                                                                          Function 6BD68B94 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 6BD68BA4
                                                                          • GetSystemMetrics.USER32(00000048), ref: 6BD68BC6
                                                                          • CreateFontW.GDI32(00000000), ref: 6BD68BCD
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 6BD68BDB
                                                                          • GetCharWidthW.GDI32(00000000,00000036,00000036,6BF308FC), ref: 6BD68BED
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 6BD68BF9
                                                                          • DeleteObject.GDI32(00000000), ref: 6BD68C00
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 6BD68C09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
                                                                          • String ID: Marlett
                                                                          • API String ID: 1397664628-3688754224
                                                                          • Opcode ID: fc787a6cdd6b2686dd182a8ca5760467d6ac1a965510622695fa9c477c62ff77
                                                                          • Instruction ID: 61c3950a4173febe165fcc6d61af80be285f81aedbbb5019b9b94097947f8429
                                                                          • Opcode Fuzzy Hash: fc787a6cdd6b2686dd182a8ca5760467d6ac1a965510622695fa9c477c62ff77
                                                                          • Instruction Fuzzy Hash: BD01DF32250680BBC6325A728C4EF5B3E3CDBC7FA2F420528F21099190DA698804C6B0
                                                                          Function 6BD98B8F Relevance: 15.2, APIs: 10, Instructions: 233COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE8ED3
                                                                            • Part of subcall function 6BD63A38: __EH_prolog3.LIBCMT ref: 6BD63A3F
                                                                            • Part of subcall function 6BD63A38: GetWindowDC.USER32(00000000,00000004,6BD7DFDA,00000000), ref: 6BD63A6B
                                                                          • GetClientRect.USER32(?,?), ref: 6BDE8EFD
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDE8F14
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA1), ref: 6BD63B5F
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA9), ref: 6BD63B6C
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BDE8F36
                                                                            • Part of subcall function 6BD6351D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6BD63554
                                                                            • Part of subcall function 6BD6351D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6BD63571
                                                                            • Part of subcall function 6BD7B6AC: GetWindowLongW.USER32(?,000000EC), ref: 6BD7B6B9
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDE8F8A
                                                                          • GetRgnBox.GDI32(?,?), ref: 6BDE8FA5
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BDE8FBF
                                                                          • CreateRectRgnIndirect.GDI32(?), ref: 6BDE8FD9
                                                                            • Part of subcall function 6BD635DF: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6BD63602
                                                                            • Part of subcall function 6BD635DF: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6BD6361B
                                                                          • OffsetRgn.GDI32(?,?,?), ref: 6BDE9014
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BDE9035
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClipOffsetWindow$Client$ExcludeScreenSelect$CreateH_prolog3H_prolog3_IndirectLong
                                                                          • String ID:
                                                                          • API String ID: 3148124242-0
                                                                          • Opcode ID: c1c1bbdce9c36fbd6fff92c1962677855d2f2949f2ba433cfd5c8d7b79bf8704
                                                                          • Instruction ID: 848c839e29020373361edc08222d240149d09f843a67b139ce502289aaafb03f
                                                                          • Opcode Fuzzy Hash: c1c1bbdce9c36fbd6fff92c1962677855d2f2949f2ba433cfd5c8d7b79bf8704
                                                                          • Instruction Fuzzy Hash: AA913E71D1061C9FCF01DFA4CD95AEEBBB9FF09314F154119E406AB250EB39AA45CB60
                                                                          Function 6BDA25F0 Relevance: 15.2, APIs: 10, Instructions: 224timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BDA2637
                                                                          • ScreenToClient.USER32(?,?), ref: 6BDA2644
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA2683
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA26A8
                                                                          • KillTimer.USER32(0000EC16,0000EC16), ref: 6BDA26DB
                                                                          • InvalidateRect.USER32(00000001,?,00000001), ref: 6BDA26F3
                                                                          • InvalidateRect.USER32(00000001,?,00000001), ref: 6BDA2705
                                                                          • KillTimer.USER32(00000000,0000EC15), ref: 6BDA286C
                                                                          • ValidateRect.USER32(00000000,00000000), ref: 6BDA2899
                                                                          • RedrawWindow.USER32(00000000,00000000,00000000,00000185,00000000,00000000,00000000), ref: 6BDA28D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
                                                                          • String ID:
                                                                          • API String ID: 1459077570-0
                                                                          • Opcode ID: ba20b85dc1e12fabd9c9b06af6f01c5c98b9278d7d004cbcd2384477dc826426
                                                                          • Instruction ID: ec2b8d798bb8cbae7cd72d07ddd14260a8a2109fa4794e98020268a470162213
                                                                          • Opcode Fuzzy Hash: ba20b85dc1e12fabd9c9b06af6f01c5c98b9278d7d004cbcd2384477dc826426
                                                                          • Instruction Fuzzy Hash: 79916F71A0060AEFCB19DF75C984AADF7B9FF09318F040665E415AB251DB38EA50DF90
                                                                          Function 6BD824DE Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                                                                          • String ID:
                                                                          • API String ID: 2135910768-0
                                                                          • Opcode ID: 9090bb93138fefeea92a9e015d1c5cac2f3c6bc198212c7687279039a600afd1
                                                                          • Instruction ID: 2d9abadf4011d28e10fdad5470d70664504f6e64f0892a6727507922aab736a3
                                                                          • Opcode Fuzzy Hash: 9090bb93138fefeea92a9e015d1c5cac2f3c6bc198212c7687279039a600afd1
                                                                          • Instruction Fuzzy Hash: 9D71E131E44219DFCF14DB74C899BAEBB71FF49326F5104A9E845EB250CB38AD418BA0
                                                                          Function 6BE12321 Relevance: 15.2, APIs: 10, Instructions: 211windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD6B3C8: __EH_prolog3_catch.LIBCMT ref: 6BD6B3CF
                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 6BE12384
                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6BE123B9
                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6BE123E4
                                                                          • LoadIconW.USER32(?,00000000), ref: 6BE12419
                                                                          • LoadIconW.USER32(00000000,00007F00), ref: 6BE1242C
                                                                          • GetClassLongW.USER32(?,000000F2), ref: 6BE1245B
                                                                          • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6BE124E4
                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6BE124A6
                                                                            • Part of subcall function 6BDB10CE: __EH_prolog3_catch.LIBCMT ref: 6BDB10D8
                                                                            • Part of subcall function 6BDB10CE: CloseHandle.KERNEL32(00000000,?,00000000,00000080,6BE12BD1,?,00000000,?,?,00000000), ref: 6BDB1113
                                                                            • Part of subcall function 6BDB10CE: GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6BE12BD1,?,00000000,?,?,00000000), ref: 6BDB1134
                                                                            • Part of subcall function 6BDB10CE: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6BDB1189
                                                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6BE1259B
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BE125B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$H_prolog3_catchIconLoad$ClassCloseCreateFileHandleLongPathTemp
                                                                          • String ID:
                                                                          • API String ID: 2083023585-0
                                                                          • Opcode ID: 37e2ef6c145545cb193c634cc8615801a9bd0b886b7842fcedb7303cb5a92ad3
                                                                          • Instruction ID: cb33dd1ea7dc83c3b9b242f5a7aeb8ccee6fcf58857ee6be15e8c31c41d072a9
                                                                          • Opcode Fuzzy Hash: 37e2ef6c145545cb193c634cc8615801a9bd0b886b7842fcedb7303cb5a92ad3
                                                                          • Instruction Fuzzy Hash: 69718034214610ABDF159F24CC89BAA3B66FF46765F2401B9FD19AF2A1DB3499018FA0
                                                                          Function 6BDE4754 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE475E
                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 6BDE4783
                                                                          • GetObjectW.GDI32(?,00000054,?), ref: 6BDE47C8
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BDE48B4
                                                                          • SelectObject.GDI32(?,?), ref: 6BDE48D6
                                                                          • GetPixel.GDI32(?,00000000,00000000), ref: 6BDE4935
                                                                          • GetPixel.GDI32(?,?,00000000), ref: 6BDE4947
                                                                          • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6BDE4956
                                                                          • SetPixel.GDI32(?,?,00000000,00000000), ref: 6BDE4968
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BDE49B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                                                                          • String ID:
                                                                          • API String ID: 1266819874-0
                                                                          • Opcode ID: 1046a912fe8427e42498260febb6b0986535918ccd0858373a7c00afecd1a409
                                                                          • Instruction ID: c605a53eab4441a55098e25af89c0eff585c1d9ae645a8b7ce5c7f9e30881b4d
                                                                          • Opcode Fuzzy Hash: 1046a912fe8427e42498260febb6b0986535918ccd0858373a7c00afecd1a409
                                                                          • Instruction Fuzzy Hash: CA81F771E00229CBDB24CFA9CC84A9DBBB5FF49314F1181A9E958AB311DB349D46DF60
                                                                          Function 6BD9C535 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BD9C558
                                                                          • ScreenToClient.USER32(?,?), ref: 6BD9C565
                                                                          • KillTimer.USER32(?,0000EC17), ref: 6BD9C57D
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C5AC
                                                                          • KillTimer.USER32(?,0000EC18), ref: 6BD9C63B
                                                                          • GetParent.USER32(?), ref: 6BD9C650
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C67C
                                                                          • KillTimer.USER32(?,0000EC07), ref: 6BD9C6DB
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9C6EF
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C6FF
                                                                            • Part of subcall function 6BD7BA35: ShowWindow.USER32(?,00000000,?,?,6BD7921A,00000000), ref: 6BD7BA46
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$KillTimer$Client$CursorParentScreenShowWindow
                                                                          • String ID:
                                                                          • API String ID: 966434589-0
                                                                          • Opcode ID: 93c5282f8948560c247f3abf8cf19cbf1f204701e3c99c0c3bf7dde9d9eb634e
                                                                          • Instruction ID: 275136a734c360b3beb4b948f51a9423d89aeec105ed8310da095dcd8e84c814
                                                                          • Opcode Fuzzy Hash: 93c5282f8948560c247f3abf8cf19cbf1f204701e3c99c0c3bf7dde9d9eb634e
                                                                          • Instruction Fuzzy Hash: BC519335A10616EFDF05AF64C854ABEBB76FF09314F04016AE815EB250DB38A951DBA0
                                                                          Function 03AE4EE7 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(0000000D), ref: 03AE4F1A
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 03AE4F2F
                                                                          • WSASetLastError.WS2_32(00002746), ref: 03AE4F41
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE4F48
                                                                          • timeGetTime.WINMM ref: 03AE4F76
                                                                          • timeGetTime.WINMM ref: 03AE4F9E
                                                                          • SetEvent.KERNEL32(?), ref: 03AE4FDC
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 03AE4FE8
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE4FEF
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE5002
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 1979691958-0
                                                                          • Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                          • Instruction ID: 226b786472062e94602de177dc682e325c94170f8f1d77c876d5edfbab96a5d0
                                                                          • Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                          • Instruction Fuzzy Hash: 26419231600300DFD721DF6AD988B6AB7FDBF4CB15F08869EE84A8B251D776E4448B91
                                                                          Function 6BD848E0 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6BD848FF
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD8491E
                                                                          • SetRect.USER32(?,?,00000000,?,?), ref: 6BD8495D
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD8496C
                                                                          • SetRect.USER32(?,?,00000000,?,?), ref: 6BD84984
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD84993
                                                                          • SetRect.USER32(?,00000000,?,?,?), ref: 6BD849BB
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD849CA
                                                                          • SetRect.USER32(?,00000000,?,00000001,?), ref: 6BD849E1
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD849F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Invalidate$Window$Proc
                                                                          • String ID:
                                                                          • API String ID: 570070710-0
                                                                          • Opcode ID: 8142ba98085df791f85ba86c8d93953e6e8cd75a72f72fcc41fa63eb4a19341a
                                                                          • Instruction ID: b6ef66f0532e8effbe89924383ad32dc6240a01bb38f21d0758e7f61e3089233
                                                                          • Opcode Fuzzy Hash: 8142ba98085df791f85ba86c8d93953e6e8cd75a72f72fcc41fa63eb4a19341a
                                                                          • Instruction Fuzzy Hash: 4D411A72910249AFDF10DFA4C989FAFBBB9FF09300F500529F641E61A0D775AA44CBA1
                                                                          Function 6BD8223C Relevance: 15.1, APIs: 10, Instructions: 100timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD82243
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD82262
                                                                          • GetSystemMetrics.USER32(00000025), ref: 6BD8226A
                                                                          • GetSystemMetrics.USER32(00000025), ref: 6BD82280
                                                                          • GetSystemMetrics.USER32(00000024), ref: 6BD82294
                                                                          • GetSystemMetrics.USER32(00000024), ref: 6BD822A8
                                                                          • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020,?,00007921,?,?,?,?,00000010), ref: 6BD82321
                                                                          • SetWindowRgn.USER32(?,?,00000001), ref: 6BD82338
                                                                          • SetCapture.USER32(?,?,00007921,?,?,?,?,00000010), ref: 6BD82341
                                                                          • SetTimer.USER32(?,0000EC08,00000032,00000000), ref: 6BD8235A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$CaptureClientCreateEllipticH_prolog3ScreenTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3001615190-0
                                                                          • Opcode ID: 8362437b4d95a9e74c03baf962b92c31cf505a23bcbd569622b0918d46bfb626
                                                                          • Instruction ID: 2ce918b34ff22de1434f132dd193fc5979e54b323fc65fa733b285a203087aa7
                                                                          • Opcode Fuzzy Hash: 8362437b4d95a9e74c03baf962b92c31cf505a23bcbd569622b0918d46bfb626
                                                                          • Instruction Fuzzy Hash: C5318C71610701AFEB18DF74CC4AF6ABB74FF08314F01462CEA59AB291DB75A904CBA0
                                                                          Function 6BD60CEA Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6BD60E80
                                                                            • Part of subcall function 6BD60CAC: GetProcAddress.KERNEL32(00000000,6BD6A2CF), ref: 6BD60CDA
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000105,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60D9A
                                                                          • SetLastError.KERNEL32(0000006F,?,6BD6A257,?,6BF22380,00000010,6BD6F2FD,?), ref: 6BD60DAE
                                                                          • GetLastError.KERNEL32(00000020), ref: 6BD60E05
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
                                                                          • String ID: $@$Comctl32.dll$GetModuleHandleExW
                                                                          • API String ID: 3640817601-4183358198
                                                                          • Opcode ID: 9733ef92fd9309cae0c7e8feee9d62180d136721d8337c50e6ceada78ce22fb1
                                                                          • Instruction ID: 6dde07d694f1afdc22a103336c286d2886968ab8a721863af759a712ba4a64b5
                                                                          • Opcode Fuzzy Hash: 9733ef92fd9309cae0c7e8feee9d62180d136721d8337c50e6ceada78ce22fb1
                                                                          • Instruction Fuzzy Hash: 2741A771914228DBEB209B748CC9B9A77B9EB447F0F1045A6E414EE191FB7CCA84DF60
                                                                          Function 6BDF8E31 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100sleepthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(6BF39BF4,?,00000000,?,6BD91275,00000001,00000000,?,?,6BD90F0B,?,00000000,?,?), ref: 6BDF8E56
                                                                          • SetThreadPriority.KERNEL32(00000000,000000FF,?,00000000), ref: 6BDF8E87
                                                                          • LeaveCriticalSection.KERNEL32(6BF39BF4,?,00000000), ref: 6BDF8E9D
                                                                          • PlaySoundW.WINMM(MenuCommand,00000000,00012002), ref: 6BDF8EEE
                                                                          • Sleep.KERNEL32(00000005,00000000,6BF39BF4,00000000,?,00000000,?,6BD91275,00000001,00000000,?,?,6BD90F0B,?,00000000,?), ref: 6BDF8F19
                                                                          • PlaySoundW.WINMM(00000000,00000000,00000040), ref: 6BDF8F2E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
                                                                          • String ID: MenuCommand$MenuPopup
                                                                          • API String ID: 2370138168-2036262055
                                                                          • Opcode ID: 98e04d66b30e1e86d8f6047741f6826f5033a8759c8e7119c866d10f93146147
                                                                          • Instruction ID: 9ebb06e4e6c409b253dcec078f3b2bb63f68152df4d631b36a819d92b84b4d60
                                                                          • Opcode Fuzzy Hash: 98e04d66b30e1e86d8f6047741f6826f5033a8759c8e7119c866d10f93146147
                                                                          • Instruction Fuzzy Hash: 6D31EA3185C211EFDB203B2ACC48B563B6E9743775F220355E5359A1E0DBBEC44A9B91
                                                                          Function 6BD6A504 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD6A551
                                                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6BD6A579
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                                                                          • String ID: SetDefaultDllDirectories$\$kernel32.dll
                                                                          • API String ID: 2101061299-3881611067
                                                                          • Opcode ID: 6544c36fa840d1bf992be392727b59c68316caeec30d7b21708c2e14f02020e5
                                                                          • Instruction ID: 3eeb39200b0a2c276cc3fa062701b7a516f53d8092f08d7d47045682df77d133
                                                                          • Opcode Fuzzy Hash: 6544c36fa840d1bf992be392727b59c68316caeec30d7b21708c2e14f02020e5
                                                                          • Instruction Fuzzy Hash: 04219971950228A7CB10DB758C49F9B3BB8AB057A4F010865FC45DA150F77CD644DEA4
                                                                          Function 6BD8C854 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStockObject.GDI32(00000011), ref: 6BD8C876
                                                                          • GetStockObject.GDI32(0000000D), ref: 6BD8C882
                                                                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 6BD8C893
                                                                          • GetDC.USER32(00000000), ref: 6BD8C8A2
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6BD8C8B9
                                                                          • MulDiv.KERNEL32(?,00000048,00000000), ref: 6BD8C8C5
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 6BD8C8D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Stock$CapsDeviceRelease
                                                                          • String ID: System
                                                                          • API String ID: 46613423-3470857405
                                                                          • Opcode ID: bbd69ce27e9a8db30f2bade19a0668f670723cc23c2e5d6c94636dfd310cecfd
                                                                          • Instruction ID: 7e26e3608e7ca4e8c6c85355bfe5ee0acfd8aa0a9142be864138b3f6aafd61a3
                                                                          • Opcode Fuzzy Hash: bbd69ce27e9a8db30f2bade19a0668f670723cc23c2e5d6c94636dfd310cecfd
                                                                          • Instruction Fuzzy Hash: 3B11BE71B50308EBEB189B65CC4ABAE7BB9EB45712F400129F606EF1C0DB74D804DB60
                                                                          Function 6BD6E768 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveFocus$MessageSend
                                                                          • String ID: u
                                                                          • API String ID: 1556911595-4067256894
                                                                          • Opcode ID: 295b0a432efd37414a5c090fe58ba1cbaa9add974a68e129af1f14ee1be25acc
                                                                          • Instruction ID: c60d99c9bea6e45a7f675b8b1bc2b9d2289b0b3e6bf1d1f570c91977954c6843
                                                                          • Opcode Fuzzy Hash: 295b0a432efd37414a5c090fe58ba1cbaa9add974a68e129af1f14ee1be25acc
                                                                          • Instruction Fuzzy Hash: 5A11E232530205ABDB151B74CC497AE3B69EF863B1F018874F901CE095EB3CC906AB50
                                                                          Function 6BE7C289 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BE7C290
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(6BF38410,?,?,0000007C,?,6BD6F318,00000001), ref: 6BD82F91
                                                                            • Part of subcall function 6BD82F60: InitializeCriticalSection.KERNEL32(00000000,?,6BD6F318,00000001), ref: 6BD82FA7
                                                                            • Part of subcall function 6BD82F60: LeaveCriticalSection.KERNEL32(6BF38410,?,6BD6F318,00000001), ref: 6BD82FB5
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6BD6F318,00000001), ref: 6BD82FC2
                                                                          • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6BE7C2DB
                                                                          • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6BE7C2EE
                                                                          • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6BE7C301
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
                                                                          • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
                                                                          • API String ID: 4229786687-1024936294
                                                                          • Opcode ID: 446afab8649acfbc35cf0048ffec8ad9f1269794e2ab7b29100b0f608fda7792
                                                                          • Instruction ID: 6058d24c889c0cb90928dcc1a095564acdbf392fe757bbf9cecf7fd002220495
                                                                          • Opcode Fuzzy Hash: 446afab8649acfbc35cf0048ffec8ad9f1269794e2ab7b29100b0f608fda7792
                                                                          • Instruction Fuzzy Hash: 7001DFB4960300EFCB30EFB88C067097AE9BF85758F60052DE2469A291CBBEC205CB15
                                                                          Function 6BD79DA8 Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD79DAF
                                                                            • Part of subcall function 6BDA59C9: LoadCursorW.USER32(?,00007F00), ref: 6BDA5A2B
                                                                          • GetSystemMenu.USER32(?,00000000,00000000,00000000,6BF17FB4,?,6BF309DC), ref: 6BD79E20
                                                                          • DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 6BD79E43
                                                                          • DeleteMenu.USER32(?,0000F020,00000000), ref: 6BD79E53
                                                                          • DeleteMenu.USER32(?,0000F030,00000000), ref: 6BD79E63
                                                                          • DeleteMenu.USER32(?,0000F120,00000000), ref: 6BD79E73
                                                                          • DeleteMenu.USER32(00000000,0000F060,00000000,0000F011), ref: 6BD79EA6
                                                                          • AppendMenuW.USER32(00000000,00000000,0000F060,?), ref: 6BD79EBA
                                                                          • SetParent.USER32(?,?), ref: 6BD79F07
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$AppendCursorH_prolog3LoadParentSystem
                                                                          • String ID:
                                                                          • API String ID: 2353656248-0
                                                                          • Opcode ID: 622b1e188cdc191972821b471e877e854d1b5662f2cc4b0dff86d99eaeac2139
                                                                          • Instruction ID: 95e0fe7e7927ed5fec5df3831c0286a6ef87a126e2e5e3fa68f9203a838c589c
                                                                          • Opcode Fuzzy Hash: 622b1e188cdc191972821b471e877e854d1b5662f2cc4b0dff86d99eaeac2139
                                                                          • Instruction Fuzzy Hash: B141C432691616AFEB209FB0CD56FAABB64FF08714F000434F655AF1E1D778A904DBA4
                                                                          Function 6BD8C1AA Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,?), ref: 6BD8C1C5
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6BD8C1D4
                                                                          • IsWindowEnabled.USER32(00000000), ref: 6BD8C1E2
                                                                          • GetDlgItem.USER32(?,00003024), ref: 6BD8C1F9
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6BD8C205
                                                                          • IsWindowEnabled.USER32(?), ref: 6BD8C215
                                                                          • GetFocus.USER32 ref: 6BD8C236
                                                                          • IsWindowEnabled.USER32(00000000), ref: 6BD8C23D
                                                                          • SetFocus.USER32(?), ref: 6BD8C24A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Enabled$FocusItemLong
                                                                          • String ID:
                                                                          • API String ID: 1558694495-0
                                                                          • Opcode ID: d25468e9fd830acdf49054fe8c027e07bb34af62aa0233aba51b6bf381ceaa91
                                                                          • Instruction ID: b821676e37895f6dd91316224d780097c5474ac04bdb221b3ad36d5db349692d
                                                                          • Opcode Fuzzy Hash: d25468e9fd830acdf49054fe8c027e07bb34af62aa0233aba51b6bf381ceaa91
                                                                          • Instruction Fuzzy Hash: AC112132A00120EBCF029FA8CC49B5EBB28FF06762F450234F911DE2B0DB35C840AB80
                                                                          Function 6BD90537 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_catch.LIBCMT ref: 6BD90541
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                          • IsWindow.USER32(?), ref: 6BD90674
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlH_prolog3H_prolog3_catchWindow
                                                                          • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
                                                                          • API String ID: 1537839037-190999575
                                                                          • Opcode ID: 08e60b0a86a78d9a2c49c09afbf8b5ecf90d60e30e31b21c0e733731abb1a648
                                                                          • Instruction ID: 594c70b42d7c63bba89c19d23c2b2eb4952e5afca2361c3474c27bb0dd4f1289
                                                                          • Opcode Fuzzy Hash: 08e60b0a86a78d9a2c49c09afbf8b5ecf90d60e30e31b21c0e733731abb1a648
                                                                          • Instruction Fuzzy Hash: B3717D75A00219DFDF05EBB4D991AEDBBB5AF49324F144098E811AB2A0DB389F00DF71
                                                                          Function 6BD860C6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6BD7EDC3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6BD860D8
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6BD860E8
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD7EDC3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6BD860F1
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD7EDC3,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6BD860FF
                                                                          • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,?,6BD7EDC3,?,00000000,?,?), ref: 6BD8614C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
                                                                          • String ID: DrawThemeTextEx$uxtheme.dll
                                                                          • API String ID: 1727381832-3035683158
                                                                          • Opcode ID: 8bd1642e62c6e5e98a24c0579e232f6e57e9120e723dad387b556b526b540f6c
                                                                          • Instruction ID: 4f00f1bd178d7270d2cd22332b1c6a348667bc37a50a61cc34dabd34f91c2fd0
                                                                          • Opcode Fuzzy Hash: 8bd1642e62c6e5e98a24c0579e232f6e57e9120e723dad387b556b526b540f6c
                                                                          • Instruction Fuzzy Hash: ED11B33646021AFBCF126F94CD09EDE7F66FB0D761B454420FE19A5131DB3AD821ABA0
                                                                          Function 6BD9BFC0 Relevance: 12.3, APIs: 8, Instructions: 253windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(000000FF), ref: 6BD9BFE1
                                                                          • SendMessageW.USER32(000000FF,00000362,0000E001,00000000), ref: 6BD9C01D
                                                                            • Part of subcall function 6BD9C2D2: GetParent.USER32(000000FF), ref: 6BD9C2E2
                                                                          • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6BD9C03C
                                                                          • GetParent.USER32(000000FF), ref: 6BD9C0F5
                                                                          • PostMessageW.USER32(?,?,?,00000000), ref: 6BD9C1A9
                                                                          • GetParent.USER32(000000FF), ref: 6BD9C213
                                                                          • InvalidateRect.USER32(000000FF,000000FF,00000001,000000FF,?,?), ref: 6BD9C28C
                                                                          • UpdateWindow.USER32(000000FF), ref: 6BD9C298
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Parent$Message$Send$InvalidatePostRectUpdateWindow
                                                                          • String ID:
                                                                          • API String ID: 4048132615-0
                                                                          • Opcode ID: aba7749d500900a47331fca2fb8f1fa675a7809f3e6c39235dec38bd3633260e
                                                                          • Instruction ID: eb1a5847e8d69a5a00589d8682419a1219c839b8b4d82339ca7108aa977e04ee
                                                                          • Opcode Fuzzy Hash: aba7749d500900a47331fca2fb8f1fa675a7809f3e6c39235dec38bd3633260e
                                                                          • Instruction Fuzzy Hash: 96919171A10219DFEB14AF78D855AAE77B9BF49320F140179E805EF260EB39DD01DBA0
                                                                          Function 6BD779A0 Relevance: 12.2, APIs: 8, Instructions: 246filecomCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD779A7
                                                                          • OleDuplicateData.OLE32(?,?,00000000), ref: 6BD77A38
                                                                          • GlobalLock.KERNEL32(00000000), ref: 6BD77A5A
                                                                          • CopyMetaFileW.GDI32(?,00000000), ref: 6BD77A68
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 6BD77A76
                                                                          • GlobalFree.KERNEL32(00000000), ref: 6BD77A7D
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 6BD77A8A
                                                                            • Part of subcall function 6BD60447: __EH_prolog3.LIBCMT ref: 6BD6044E
                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000054), ref: 6BD77C36
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMeta
                                                                          • String ID:
                                                                          • API String ID: 4039237054-0
                                                                          • Opcode ID: 12d6436149096db860710eea23257aba686eec37c5294be3cae0df3aea91d0de
                                                                          • Instruction ID: 43ff2473a6eeecc641a455fff709e91ad7b8113b525e2ee997feea0baae8f4cd
                                                                          • Opcode Fuzzy Hash: 12d6436149096db860710eea23257aba686eec37c5294be3cae0df3aea91d0de
                                                                          • Instruction Fuzzy Hash: E481B3B4910515FFDB25AF74CD98A6ABBB5FF897207008969E419CF264DB34ED00CBA0
                                                                          Function 6BDEE0AB Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
                                                                          • String ID:
                                                                          • API String ID: 3509494761-0
                                                                          • Opcode ID: eb006e634c4efa63e24f3e139efa0a05b219767a61644f3467a35f2c2945f5e1
                                                                          • Instruction ID: d18382b8c7055f9cf6c5cabc659ef00de1a8e4be926f20934978f0f0592a049b
                                                                          • Opcode Fuzzy Hash: eb006e634c4efa63e24f3e139efa0a05b219767a61644f3467a35f2c2945f5e1
                                                                          • Instruction Fuzzy Hash: A651B131610615DFDF059F24C899BAE3BB6BF0A714F0504B8EC069F296DB79D906CBA0
                                                                          Function 6BDDEDBA Relevance: 12.1, APIs: 8, Instructions: 118clipboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 6BDDEDC1
                                                                            • Part of subcall function 6BD63A38: __EH_prolog3.LIBCMT ref: 6BD63A3F
                                                                            • Part of subcall function 6BD63A38: GetWindowDC.USER32(00000000,00000004,6BD7DFDA,00000000), ref: 6BD63A6B
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 6BDDEE01
                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6BDDEE23
                                                                            • Part of subcall function 6BD63826: SelectObject.GDI32(6BD6F2CB,?), ref: 6BD6382F
                                                                          • FillRect.USER32(?,?,?), ref: 6BDDEE6D
                                                                          • OpenClipboard.USER32(?), ref: 6BDDEE9D
                                                                          • EmptyClipboard.USER32 ref: 6BDDEEDB
                                                                          • SetClipboardData.USER32(00000002,00000000), ref: 6BDDEEFF
                                                                          • CloseClipboard.USER32 ref: 6BDDEF19
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
                                                                          • String ID:
                                                                          • API String ID: 2940850299-0
                                                                          • Opcode ID: 5fb80fd511802fef94b0fe4cdafd39d7b5770812cafcca6585ceee978d41f385
                                                                          • Instruction ID: 82772ba7691f25c826e2f8a919f75c458c3907630107b4260f58f1f9ad61ee09
                                                                          • Opcode Fuzzy Hash: 5fb80fd511802fef94b0fe4cdafd39d7b5770812cafcca6585ceee978d41f385
                                                                          • Instruction Fuzzy Hash: 4A414C71910119EFCF11DFF4CD46ADDBB78AF09764F104169E415AA290EB789A09CB70
                                                                          Function 6BDE6081 Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6BDE6076,00000000,00000000,?,\~k,?,6BDE4353,?,?,?), ref: 6BDE6092
                                                                          • GlobalLock.KERNEL32(00000000), ref: 6BDE609F
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 6BDE60AA
                                                                          • GlobalFree.KERNEL32(00000000), ref: 6BDE60B1
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 6BDE60CF
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6BDE60DC
                                                                          • EnterCriticalSection.KERNEL32(6BF39B70,00000000), ref: 6BDE60F5
                                                                          • LeaveCriticalSection.KERNEL32(6BF39B70,00000000), ref: 6BDE615C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
                                                                          • String ID:
                                                                          • API String ID: 295443201-0
                                                                          • Opcode ID: 782ffbbbd58eaf34c7ed9095bcafda7ff7aba5725230385da6cc0ae518bf306a
                                                                          • Instruction ID: 5be532bac0925e85f85f7354b12fdfc4976de9971247740c6b5a430970a5560d
                                                                          • Opcode Fuzzy Hash: 782ffbbbd58eaf34c7ed9095bcafda7ff7aba5725230385da6cc0ae518bf306a
                                                                          • Instruction Fuzzy Hash: 4B31E431610614ABDF216B34C849B5E37AAEF46365F004464FA12DF261EF3CEA05DBA0
                                                                          Function 6BD9A412 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ScreenToClient.USER32(?,?), ref: 6BD9A42E
                                                                          • GetParent.USER32(?), ref: 6BD9A43E
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9A482
                                                                          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9A494
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9A4A4
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9A4D1
                                                                          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9A4E3
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9A4F3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$PointsWindow$ParentScreen
                                                                          • String ID:
                                                                          • API String ID: 1944725958-0
                                                                          • Opcode ID: e20c43c5039285530b125edbead85166759b2386640e82720955e3f3c1675740
                                                                          • Instruction ID: 556dec7a2b68b99e10f9529b9d4636dcd506dbc2b5e7df1f13b83fca36af2f00
                                                                          • Opcode Fuzzy Hash: e20c43c5039285530b125edbead85166759b2386640e82720955e3f3c1675740
                                                                          • Instruction Fuzzy Hash: B731A137A10529AFCF01EFB4C849EAE7BB9FF09714B110529E945DE120DB35DE049B90
                                                                          Function 03AE3F37 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 03AE3F3C
                                                                          • SetLastError.KERNEL32(0000139F,?,10015054,03AE361F), ref: 03AE402B
                                                                            • Part of subcall function 03AE2B57: SwitchToThread.KERNEL32 ref: 03AE2B81
                                                                          • send.WS2_32(?,10017440,00000010,00000000), ref: 03AE3F9D
                                                                          • SetEvent.KERNEL32(?), ref: 03AE3FC0
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE3FCC
                                                                          • WSACloseEvent.WS2_32(?), ref: 03AE3FDA
                                                                          • shutdown.WS2_32(?,00000001), ref: 03AE3FF2
                                                                          • closesocket.WS2_32(?), ref: 03AE3FFC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLastSwitchclosesocketsendshutdown
                                                                          • String ID:
                                                                          • API String ID: 518013673-0
                                                                          • Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                          • Instruction ID: 1c85d7246b6899d1386f7037dd2b6c6801c6cf65db3e773bffa080b6a0deae4a
                                                                          • Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                          • Instruction Fuzzy Hash: D3212C75200710DBE731DF69C888B5AB7B9BF48716F18491EE5828B790C7BAE445CB50
                                                                          Function 6BD778B4 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD778BD
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD778C9
                                                                          • GetSubMenu.USER32(?,-00000001), ref: 6BD778E0
                                                                          • GetMenuItemCount.USER32(00000000), ref: 6BD778F3
                                                                          • GetSubMenu.USER32(00000000,00000000), ref: 6BD77904
                                                                          • RemoveMenu.USER32(00000000,00000000,00000400), ref: 6BD7791E
                                                                          • GetSubMenu.USER32(?,00000000), ref: 6BD77935
                                                                          • RemoveMenu.USER32(?,-00000001,00000400), ref: 6BD77950
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CountItem$Remove
                                                                          • String ID:
                                                                          • API String ID: 3494307843-0
                                                                          • Opcode ID: 6f4a8a47a08f4eaca07dd5b3ca5f9b1e46d151d3126f7e20b4e77b7bdfc61d8d
                                                                          • Instruction ID: c2d5cb4ffd5a1ad00297228e6d96b3a3d58eda832cf71b7e531c81270a2150b2
                                                                          • Opcode Fuzzy Hash: 6f4a8a47a08f4eaca07dd5b3ca5f9b1e46d151d3126f7e20b4e77b7bdfc61d8d
                                                                          • Instruction Fuzzy Hash: 5E11AF31501206FBCF216F25CC4AECF3F78EB427A4F114874F905A9060C739DA94DA60
                                                                          Function 6BD7E8B1 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(00000031), ref: 6BD7E8BF
                                                                          • GetSystemMetrics.USER32(00000032), ref: 6BD7E8CD
                                                                          • SetRectEmpty.USER32(?), ref: 6BD7E8E0
                                                                          • EnumDisplayMonitors.USER32(00000000,00000000,6BD7F089,?,?,?), ref: 6BD7E8F0
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6BD7E8FF
                                                                          • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6BD7E92C
                                                                          • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6BD7E940
                                                                          • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6BD7E966
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                                                                          • String ID:
                                                                          • API String ID: 2614369430-0
                                                                          • Opcode ID: 8a6716fcf17c08257580e795af8eaf6d8b8ea60fe7ae57be522d3a6a4c002ae2
                                                                          • Instruction ID: 3e6076a7123ed1c4924bae51c585942af0e6f25c98745564ded5f4ea462acf1b
                                                                          • Opcode Fuzzy Hash: 8a6716fcf17c08257580e795af8eaf6d8b8ea60fe7ae57be522d3a6a4c002ae2
                                                                          • Instruction Fuzzy Hash: 662136B1251616BFE7149F718889BE3FBACFB0A755F414539E948CA140DBB0A8588BE0
                                                                          Function 0002101B Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 0002101E
                                                                          • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00021029
                                                                          • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00021035
                                                                          • __RTC_Initialize.LIBCMT ref: 0002104D
                                                                          • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,000217FA), ref: 00021062
                                                                            • Part of subcall function 0002155C: InitializeSListHead.KERNEL32(000230C0,00021072), ref: 00021561
                                                                          • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000154F), ref: 00021080
                                                                          • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 0002109B
                                                                          • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000210AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
                                                                          • String ID:
                                                                          • API String ID: 1933938900-0
                                                                          • Opcode ID: 315d5551eba9dd7793f0969fdb3a04e9c8aa9acc4db933c303e7390013b78796
                                                                          • Instruction ID: d557aff98991b80415d4b1814c092c83c48e5cfd8e882c8a0b8043079e12abb6
                                                                          • Opcode Fuzzy Hash: 315d5551eba9dd7793f0969fdb3a04e9c8aa9acc4db933c303e7390013b78796
                                                                          • Instruction Fuzzy Hash: 05019675A48FB1E4D9643BF93907ADE02AA0FF0794F6109D5F9069A083EEA5C5C140F3
                                                                          Function 6BD65FF7 Relevance: 10.8, APIs: 7, Instructions: 347COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 6BD66110
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 6BD66130
                                                                          • SetCapture.USER32(?), ref: 6BD661A3
                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6BD661C2
                                                                          • ReleaseCapture.USER32 ref: 6BD66250
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 6BD662C6
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 6BD662D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: OffsetRect$Capture$RedrawReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 1110970518-0
                                                                          • Opcode ID: 6969ce0d34bf2c6c89026f04e673ce39a325b4904e5248e840b208af9cb91ac1
                                                                          • Instruction ID: 87ec0adc113701ff95fd403a463207cd8d0fa19bd59e2af818fcf1367d848f66
                                                                          • Opcode Fuzzy Hash: 6969ce0d34bf2c6c89026f04e673ce39a325b4904e5248e840b208af9cb91ac1
                                                                          • Instruction Fuzzy Hash: 7FD16D756006149FCF049F68C8A8BAD37A6FF49320F1905B9ED0A9F396DB74AD05CB90
                                                                          Function 6BE7BF87 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_catch.LIBCMT ref: 6BE7BF8E
                                                                            • Part of subcall function 6BE7C251: OleGetClipboard.OLE32(00000000), ref: 6BE7C267
                                                                          • ReleaseStgMedium.OLE32(?), ref: 6BE7C012
                                                                          • ReleaseStgMedium.OLE32(?), ref: 6BE7C059
                                                                          • ReleaseStgMedium.OLE32(?), ref: 6BE7C068
                                                                          • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,6BDE6D3C,?,00000000,00000000,0000005C), ref: 6BE7C118
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
                                                                          • String ID: '
                                                                          • API String ID: 3213536121-1997036262
                                                                          • Opcode ID: c4d950d12c945c47356d48fb9515858eddc355927552f445b0f22464fed05d87
                                                                          • Instruction ID: b030db088e5a5be2cfecde88a304eaf8ae75bfad7c9d0f020891c7bd533dc744
                                                                          • Opcode Fuzzy Hash: c4d950d12c945c47356d48fb9515858eddc355927552f445b0f22464fed05d87
                                                                          • Instruction Fuzzy Hash: FB519731E002099BDF10EFB8C855AADBBB9AF45718F204079E511FB390DB79DA45DBA0
                                                                          Function 6BD71EC7 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD9D249: IsWindow.USER32(?), ref: 6BD9D255
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD7208B
                                                                            • Part of subcall function 6BD9D8C7: GetClientRect.USER32(?,?), ref: 6BD9D8EF
                                                                            • Part of subcall function 6BD9D8C7: PtInRect.USER32(?,00000000,?), ref: 6BD9D909
                                                                          • ScreenToClient.USER32(?,?), ref: 6BD71F58
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD71F6B
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD71F9D
                                                                          • GetParent.USER32(?), ref: 6BD71FCD
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD7204B
                                                                          • GetFocus.USER32 ref: 6BD72051
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageRectSend$Client$FocusParentScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1639644240-0
                                                                          • Opcode ID: e8cfa66559ba21f7ba4c67f285a154ecc97668ac9a1673e4703c3602228caf50
                                                                          • Instruction ID: 8fa627d04320aba10f3646bb56c350ad03a7018d5ed56e6696b99d68d03867d7
                                                                          • Opcode Fuzzy Hash: e8cfa66559ba21f7ba4c67f285a154ecc97668ac9a1673e4703c3602228caf50
                                                                          • Instruction Fuzzy Hash: B3515075A10255DBDF20EF79C855ADE7BB4FF4A324B0040B5E911EB260DB39DA00DBA0
                                                                          Function 6BDD2D46 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDD2D50
                                                                            • Part of subcall function 6BDF306A: __EH_prolog3.LIBCMT ref: 6BDF3071
                                                                          • GetMenuItemCount.USER32(?), ref: 6BDD2DA6
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 6BDD2DC3
                                                                          • GetMenuItemCount.USER32(?), ref: 6BDD2DF8
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 6BDD2E2A
                                                                          • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6BDD2E8F
                                                                          • GetMenuState.USER32(00000001,00000000,00000400), ref: 6BDD2EEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
                                                                          • String ID:
                                                                          • API String ID: 999183886-0
                                                                          • Opcode ID: b4964d2d5556b7a4f82060cc75111fa70bdc8da6fd4c434e3dc94c1036b3a8cf
                                                                          • Instruction ID: 0fe184310c34b7af1eb0b7f8a494bc3ce5d6cd32fd7d91f26fc96c0306fa122b
                                                                          • Opcode Fuzzy Hash: b4964d2d5556b7a4f82060cc75111fa70bdc8da6fd4c434e3dc94c1036b3a8cf
                                                                          • Instruction Fuzzy Hash: 8F61AB70901216DBDF25DB35CC45BEDB7B4AF05328F1006E9E869AA1E0DB389B85DF50
                                                                          Function 6BD93FD5 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BDE6CF4: __EH_prolog3_catch.LIBCMT ref: 6BDE6CFB
                                                                          • UpdateWindow.USER32(?), ref: 6BD94082
                                                                          • EqualRect.USER32(?,?), ref: 6BD940C2
                                                                          • InflateRect.USER32(?,00000002,00000002), ref: 6BD940DA
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD940E9
                                                                          • InflateRect.USER32(?,00000002,00000002), ref: 6BD94100
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD94112
                                                                          • UpdateWindow.USER32(?), ref: 6BD9411B
                                                                            • Part of subcall function 6BD927FA: InvalidateRect.USER32(?,?,00000001,?), ref: 6BD92871
                                                                            • Part of subcall function 6BD927FA: InflateRect.USER32(?,00000000,?), ref: 6BD928B7
                                                                            • Part of subcall function 6BD927FA: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6BD928CB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
                                                                          • String ID:
                                                                          • API String ID: 1041772997-0
                                                                          • Opcode ID: 9bd1a58f64773f4d4ca42969399b3c625adb7b8fb42286749f9eb9c6e4ec2e60
                                                                          • Instruction ID: 801f6d42f96d1230117ca23fb96ccfdf9fbbf57648d46722d8277191d466a3e2
                                                                          • Opcode Fuzzy Hash: 9bd1a58f64773f4d4ca42969399b3c625adb7b8fb42286749f9eb9c6e4ec2e60
                                                                          • Instruction Fuzzy Hash: 45519B756002099FCF14DF24C895BAA3BB5BB49320F0445B9EC2AEF296DB749905CFA0
                                                                          Function 6BD6BA1E Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 6BD6BA4B
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6BD6BA6D
                                                                          • UpdateWindow.USER32(?), ref: 6BD6BA87
                                                                          • SendMessageW.USER32(?,00000121,00000001,?), ref: 6BD6BAAD
                                                                          • SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6BD6BAC5
                                                                          • UpdateWindow.USER32(?), ref: 6BD6BB12
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6BD6BB5C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                          • String ID:
                                                                          • API String ID: 2853195852-0
                                                                          • Opcode ID: ec1c7846ddf7d7eb731bf3076facb4ff7e229c7aaee83827e0b3986a7f975913
                                                                          • Instruction ID: 1740afc951471da2de87ec6d31108df8d28a5d2f450a189bd0c0544f60d62d74
                                                                          • Opcode Fuzzy Hash: ec1c7846ddf7d7eb731bf3076facb4ff7e229c7aaee83827e0b3986a7f975913
                                                                          • Instruction Fuzzy Hash: F4418271A10609EBDB149F74C946B6E7BB8FF05764F004568F811DB190E7B8DE009B94
                                                                          Function 6BEA2510 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _ValidateLocalCookies.LIBCMT ref: 6BEA2547
                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6BEA254F
                                                                          • _ValidateLocalCookies.LIBCMT ref: 6BEA25D8
                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6BEA2603
                                                                          • _ValidateLocalCookies.LIBCMT ref: 6BEA2658
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                          • String ID: csm
                                                                          • API String ID: 1170836740-1018135373
                                                                          • Opcode ID: 2aaac327db9b106b041e35770ad3bcf9ae9c62f296e195284ff1f9b1ee487bd1
                                                                          • Instruction ID: c068e55447e12085545554f7e6215abfd0f433782d45e9360a435d4f1d2eda09
                                                                          • Opcode Fuzzy Hash: 2aaac327db9b106b041e35770ad3bcf9ae9c62f296e195284ff1f9b1ee487bd1
                                                                          • Instruction Fuzzy Hash: A6418134E002199BCF00DF7AC894A9E7BA9BF55318F208199E824AF351D739DA55CBD1
                                                                          Function 6BDECDF6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDECDFD
                                                                          • CopyRect.USER32(?,?), ref: 6BDECEAB
                                                                          • IsRectEmpty.USER32(?), ref: 6BDECEC3
                                                                          • IsRectEmpty.USER32(?), ref: 6BDECEDB
                                                                          • IsRectEmpty.USER32(?), ref: 6BDECEF0
                                                                            • Part of subcall function 6BD7EBFA: __EH_prolog3.LIBCMT ref: 6BD7EC01
                                                                            • Part of subcall function 6BD7EBFA: LoadCursorW.USER32(00000000,00007F00), ref: 6BD7EC25
                                                                            • Part of subcall function 6BD7EBFA: GetClassInfoW.USER32(?,?,?), ref: 6BD7EC60
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
                                                                          • String ID: Afx:ControlBar
                                                                          • API String ID: 685170547-4244778371
                                                                          • Opcode ID: 5c76a2ebdd6781acfa6964c76a38d8fb273989570babc513eeb106678d70c1f1
                                                                          • Instruction ID: f52a6022d682eb45714f2f121b9c20382a446777d93466231c3b1b800ce9c14b
                                                                          • Opcode Fuzzy Hash: 5c76a2ebdd6781acfa6964c76a38d8fb273989570babc513eeb106678d70c1f1
                                                                          • Instruction Fuzzy Hash: 87413675A002099BDF01DFA4C895AEE7BB5BF49354F0404A9EC05FF250DB79AA05CB70
                                                                          Function 6BD79BB8 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 6BD79BE5
                                                                          • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000), ref: 6BD79C00
                                                                          • DrawThemeParentBackground.UXTHEME(?,?,?), ref: 6BD79C14
                                                                          • SetRectEmpty.USER32(?), ref: 6BD79C25
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6BD79C33
                                                                          • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,?,00000000), ref: 6BD79C69
                                                                          • CopyRect.USER32(?,?), ref: 6BD79CCE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: BackgroundRectTheme$Draw$ClientCopyEmptyInfoParametersParentPartiallySystemTransparent
                                                                          • String ID:
                                                                          • API String ID: 2388076383-0
                                                                          • Opcode ID: 2ae38cc0b5e959ac0a877bf606084e54dd5cdc142a0624965428dc1df60537c1
                                                                          • Instruction ID: f3c2f5a48a5dd333be96394093dd0cd116390517d1f4c1419efb1065cd6faa7c
                                                                          • Opcode Fuzzy Hash: 2ae38cc0b5e959ac0a877bf606084e54dd5cdc142a0624965428dc1df60537c1
                                                                          • Instruction Fuzzy Hash: 92419D76A00609EFDB11DFA4C984AEFB7B9FF09354F10457AE906AA100D735AE45CBA0
                                                                          Function 03AE9A9D Relevance: 10.6, APIs: 7, Instructions: 109memorythreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(10015EB4,?,03AE75B9,10017B60,00000008,03AE774D,?,?,?,10017B80,0000000C,03AE7808,?), ref: 03AE9AA5
                                                                          • __mtterm.LIBCMT ref: 03AE9AB1
                                                                            • Part of subcall function 03AE977C: RtlDecodePointer.NTDLL(100191C8), ref: 03AE978D
                                                                            • Part of subcall function 03AE977C: TlsFree.KERNEL32(100191CC,03AE767C,03AE7662,10017B60,00000008,03AE774D,?,?,?,10017B80,0000000C,03AE7808,?), ref: 03AE97A7
                                                                          • TlsAlloc.KERNEL32(?,?,03AE75B9,10017B60,00000008,03AE774D,?,?,?,10017B80,0000000C,03AE7808,?), ref: 03AE9B3E
                                                                          • __init_pointers.LIBCMT ref: 03AE9B63
                                                                          • __calloc_crt.LIBCMT ref: 03AE9BD1
                                                                          • GetCurrentThreadId.KERNEL32 ref: 03AE9BFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocCurrentDecodeFreeHandleModulePointerThread__calloc_crt__init_pointers__mtterm
                                                                          • String ID:
                                                                          • API String ID: 3766280069-0
                                                                          • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                          • Instruction ID: b72d26aef99432db231e50e19e6fb3b95a164a7e7a00007f6f196376c21487bd
                                                                          • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                          • Instruction Fuzzy Hash: 15313B35840B35EEE721EF758D8870A7EE6EB89361B18852FE4149B260FB39C481CF50
                                                                          Function 6BD60892 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD6089C
                                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 6BD608F6
                                                                          • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6BD60987
                                                                          • GetStockObject.GDI32(00000005), ref: 6BD60998
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClassH_prolog3_NameObjectStockThemed
                                                                          • String ID: Button$Static
                                                                          • API String ID: 2434646892-2498952662
                                                                          • Opcode ID: 005e555857df53da7c06aa600e14a5c26a05ffcff16fba18fdef113b7410cacf
                                                                          • Instruction ID: 2fee7765ca746576e94a4025a22a60061eb5bc5cf78cb09e79903a5c44a6ab64
                                                                          • Opcode Fuzzy Hash: 005e555857df53da7c06aa600e14a5c26a05ffcff16fba18fdef113b7410cacf
                                                                          • Instruction Fuzzy Hash: 5F31C231980209DBDF28DB64C889BDE7375AF543F4F0405D9D559AF180EB38AA84CFA1
                                                                          Function 6BDE09F1 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BDE09F8
                                                                            • Part of subcall function 6BDE0AE2: __EH_prolog3.LIBCMT ref: 6BDE0AE9
                                                                            • Part of subcall function 6BDE0AE2: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6BDE0B3C
                                                                            • Part of subcall function 6BDE0AE2: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6BDE0B52
                                                                          • CopyRect.USER32(?,?), ref: 6BDE0A2D
                                                                          • GetCursorPos.USER32(?), ref: 6BDE0A3F
                                                                          • SetRect.USER32(?,?,?,?,?), ref: 6BDE0A52
                                                                          • IsRectEmpty.USER32(?), ref: 6BDE0A6D
                                                                          • InflateRect.USER32(?,00000002,00000002), ref: 6BDE0A7F
                                                                          • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6BDE0AC7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                                                                          • String ID:
                                                                          • API String ID: 1837043813-0
                                                                          • Opcode ID: 7773abc524f52f4221e44bbb054873835446aeae0f069e2e4ca5d1608410b145
                                                                          • Instruction ID: f4f5b6a693983081423643197d6a567461c062f2791885125e9c1f58167241bc
                                                                          • Opcode Fuzzy Hash: 7773abc524f52f4221e44bbb054873835446aeae0f069e2e4ca5d1608410b145
                                                                          • Instruction Fuzzy Hash: EF317A75A01258DBCF01DFE4C849AAE7BB9FF49394B414014E815AF214DB38DA0ACB74
                                                                          Function 6BD7A8ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6BD7A928
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6BD7A954
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6BD7A980
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A992
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A9A1
                                                                            • Part of subcall function 6BD7A1BA: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6BD7A1CB
                                                                            • Part of subcall function 6BD7A1BA: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6BD7A1DB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreate$AddressHandleModuleOpenProc
                                                                          • String ID: software
                                                                          • API String ID: 550756860-2010147023
                                                                          • Opcode ID: b7836ba95eeeb115a8fdc0c1ce8cb45a8b604bbdbda01033e269a6757647a935
                                                                          • Instruction ID: c76aaa65a8146a9976921286bc02889534ca62f2471c9460b01904962c73739a
                                                                          • Opcode Fuzzy Hash: b7836ba95eeeb115a8fdc0c1ce8cb45a8b604bbdbda01033e269a6757647a935
                                                                          • Instruction Fuzzy Hash: 99216A72A00119FBEB25EB94C845EFFBB7DEB45710F4240B9E900EA110D374CA249B65
                                                                          Function 6BDA19BC Relevance: 10.6, APIs: 7, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6BDA19E7
                                                                          • IsRectEmpty.USER32(?), ref: 6BDA1A03
                                                                          • IsRectEmpty.USER32(?), ref: 6BDA1A0E
                                                                          • GetCursorPos.USER32(00000000), ref: 6BDA1A24
                                                                          • ScreenToClient.USER32(?,00000000), ref: 6BDA1A31
                                                                          • PtInRect.USER32(?,00000000,00000000), ref: 6BDA1A44
                                                                          • PtInRect.USER32(?,00000000,00000000), ref: 6BDA1A55
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Empty$ClientCursorMessageScreenSend
                                                                          • String ID:
                                                                          • API String ID: 703117857-0
                                                                          • Opcode ID: b5c5c45112fed9bfebb6dac33f906831ebd876d77a64b04843667d8b0721cba1
                                                                          • Instruction ID: 5fe380c5d13dfe9fce95f1f2f6b33621eb3457327d6a69a6b6616f8fce3477c0
                                                                          • Opcode Fuzzy Hash: b5c5c45112fed9bfebb6dac33f906831ebd876d77a64b04843667d8b0721cba1
                                                                          • Instruction Fuzzy Hash: 6F21A932510219FBDF108BA1CC49FDABBBDFF06729F000569E116EA060DB74EA45EB24
                                                                          Function 6BD7FE86 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RealChildWindowFromPoint.USER32(?,?,?,?,?,?,6BD679D8,?,?,?), ref: 6BD7FEAA
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD7FEC4
                                                                          • GetWindow.USER32(?,00000005), ref: 6BD7FF16
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ChildClientFromPointRealScreen
                                                                          • String ID:
                                                                          • API String ID: 2518355518-0
                                                                          • Opcode ID: d4a26ef39fc03adf0cf94609045153ad3152a3a5aa4f80281fd73c140257d924
                                                                          • Instruction ID: f28c400cfc821cc6049478bcdff2ebbe4c07cd384cb184d1451fcf0d67bb0ed9
                                                                          • Opcode Fuzzy Hash: d4a26ef39fc03adf0cf94609045153ad3152a3a5aa4f80281fd73c140257d924
                                                                          • Instruction Fuzzy Hash: 8111B431A11659ABCB21EF68C809FEFBBB9EF4A710F414535F801EB150DB34DA458BA0
                                                                          Function 6BD6E55D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 6BD6E574
                                                                          • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6BD6E59C
                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 6BD6E5AE
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 6BD6E5BA
                                                                          • LockResource.KERNEL32(00000000), ref: 6BD6E5C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeofWindow
                                                                          • String ID: AFX_DIALOG_LAYOUT
                                                                          • API String ID: 2582447065-2436846380
                                                                          • Opcode ID: f7e5d9fb5d7b1e2446afc30aaf59e720fecd994c023dbf21e32d7262e4a59afd
                                                                          • Instruction ID: 4391bad98b723b9ed5df2e2122fdef4a5b49e92bd3cbeaec00fbed72111c72ad
                                                                          • Opcode Fuzzy Hash: f7e5d9fb5d7b1e2446afc30aaf59e720fecd994c023dbf21e32d7262e4a59afd
                                                                          • Instruction Fuzzy Hash: 1F11E172620304EBEB019BB4CC49B6E3AACEB456A0F0044B9F901DA214FB7CD940D760
                                                                          Function 6BDC2C39 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDC2C40
                                                                            • Part of subcall function 6BD60447: __EH_prolog3.LIBCMT ref: 6BD6044E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3
                                                                          • String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
                                                                          • API String ID: 431132790-2717817858
                                                                          • Opcode ID: 25391bf3b64d8946db63332fe02c34ef96f66f223fa007dd4fbe04e28fbc7ad5
                                                                          • Instruction ID: f6f7714c0a398230df763231322d1bff7e332953fc16d6d9efbb4f91a539cbb5
                                                                          • Opcode Fuzzy Hash: 25391bf3b64d8946db63332fe02c34ef96f66f223fa007dd4fbe04e28fbc7ad5
                                                                          • Instruction Fuzzy Hash: 6E11E2B7800006DBCB05EFB8C952BBF7739AF80278F204A05E615AF194CB3D9B018762
                                                                          Function 6BDE601D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,\~k,?,6BDE4353,?,?,?,00000038,6BDE1A3E), ref: 6BDE603F
                                                                          • LoadResource.KERNEL32(00000000,00000000,?,\~k,?,6BDE4353,?,?,?,00000038,6BDE1A3E), ref: 6BDE604D
                                                                          • LockResource.KERNEL32(00000000,?,\~k,?,6BDE4353,?,?,?,00000038,6BDE1A3E), ref: 6BDE6058
                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,\~k,?,6BDE4353,?,?,?,00000038,6BDE1A3E), ref: 6BDE6066
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID: PNG$\~k
                                                                          • API String ID: 3473537107-2732586644
                                                                          • Opcode ID: a1f3243b3390b55fde7b050e625619495a291ad0c61c879383b88af367b56760
                                                                          • Instruction ID: 8abd4419cb2225242368db497114f1ed3200268ec6210d1b4a99769646e316b9
                                                                          • Opcode Fuzzy Hash: a1f3243b3390b55fde7b050e625619495a291ad0c61c879383b88af367b56760
                                                                          • Instruction Fuzzy Hash: 97F0F636510625BB5B11ABB48C49DAF377CDF866713014475FA019B210DB38FD0697B0
                                                                          Function 6BD861FF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6BD7D966,00000001,?,00000002,00000000,?), ref: 6BD86211
                                                                          • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6BD86221
                                                                          • EncodePointer.KERNEL32(00000000,?,6BD7D966,00000001,?,00000002,00000000,?), ref: 6BD8622A
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD7D966,00000001,?,00000002,00000000,?), ref: 6BD86238
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: BeginBufferedPaint$uxtheme.dll
                                                                          • API String ID: 2061474489-1632326970
                                                                          • Opcode ID: 07380e5e586d71275eccbadd9e53012b1a5198e24952a514d0b0188d6093aee5
                                                                          • Instruction ID: 37ea732ada66652d92f44a345bb2d92d4ade4d61de9f073d3de3f2b9eb738b74
                                                                          • Opcode Fuzzy Hash: 07380e5e586d71275eccbadd9e53012b1a5198e24952a514d0b0188d6093aee5
                                                                          • Instruction Fuzzy Hash: 6FF01D72525215AB8F516FA48C19B5E3F69EB06BB27010460FD05DA230EB79D814ABA0
                                                                          Function 6BD8600F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6BD86021
                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BD86031
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD8603A
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD86048
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: SHGetKnownFolderPath$shell32.dll
                                                                          • API String ID: 2061474489-2936008475
                                                                          • Opcode ID: 99f1085d7cbf453c606ba9b47fb01c675ca816c495567907af8241253ce226c0
                                                                          • Instruction ID: 4386d630c2dc4454279e9bd14448518e78351ae742abfca3bcfca6d4dea08882
                                                                          • Opcode Fuzzy Hash: 99f1085d7cbf453c606ba9b47fb01c675ca816c495567907af8241253ce226c0
                                                                          • Instruction Fuzzy Hash: 64F03076521219EBCF212F648C09A5E3F69EB0A7727010470FD15EA221EB79C8149BB4
                                                                          Function 6BD8655A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6BD8656C
                                                                          • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6BD8657C
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD86585
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD86593
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: TaskDialogIndirect$comctl32.dll
                                                                          • API String ID: 2061474489-2809879075
                                                                          • Opcode ID: 8b6eb2db28ef1595d718e4ac180e02611b52dbc6dc3b45b2782bc1ca34c0a4ad
                                                                          • Instruction ID: 85f7f7382498e6649096728734570a1e5b8ddb1c3841356843ea8bf6c41e4f0e
                                                                          • Opcode Fuzzy Hash: 8b6eb2db28ef1595d718e4ac180e02611b52dbc6dc3b45b2782bc1ca34c0a4ad
                                                                          • Instruction Fuzzy Hash: A3F08976530219EBCF112F68CC08A5E3F69EB0AB717014860FD15DA234DB39C9149BF0
                                                                          Function 6BD85FAA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6BD85FBC
                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6BD85FCC
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD85FD5
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD85FE3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                          • API String ID: 2061474489-2320870614
                                                                          • Opcode ID: 406dcb7ea4e44ddf5a2c6e7f36ef12a3122477c225a001132dd57191380cce9e
                                                                          • Instruction ID: 5aa8fa4c4790b43a2bb89cb58040c807d214f07e41e0f29f59005e12f4bbd0c1
                                                                          • Opcode Fuzzy Hash: 406dcb7ea4e44ddf5a2c6e7f36ef12a3122477c225a001132dd57191380cce9e
                                                                          • Instruction Fuzzy Hash: 5FF0B472525215EB8F211F64CC09E5E3F69EB057617014830FE05EE220D739C8149FB1
                                                                          Function 6BD85E38 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD695BF,?,?,?,?), ref: 6BD85E4A
                                                                          • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6BD85E5A
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD695BF,?,?,?,?), ref: 6BD85E63
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD695BF,?,?,?,?), ref: 6BD85E71
                                                                          Strings
                                                                          • RegisterApplicationRecoveryCallback, xrefs: 6BD85E54
                                                                          • kernel32.dll, xrefs: 6BD85E45
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
                                                                          • API String ID: 2061474489-202725706
                                                                          • Opcode ID: e75bf98954274299a1c6aa5b740722a5aeecbd73061b5155ed5bf0eb09fecd72
                                                                          • Instruction ID: 945f96a7fb54cbd2189a0fb2dbf05d58f912f84e51959b67217ad164cacabb3d
                                                                          • Opcode Fuzzy Hash: e75bf98954274299a1c6aa5b740722a5aeecbd73061b5155ed5bf0eb09fecd72
                                                                          • Instruction Fuzzy Hash: 29F054B651421AEBCF122F64CC08A5A3B69FF077667014821FD06EE220E779C8149FB0
                                                                          Function 6BD86264 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6BD7DA4D,?,00000001,92806F5A), ref: 6BD86276
                                                                          • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6BD86286
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD7DA4D,?,00000001,92806F5A), ref: 6BD8628F
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD7DA4D,?,00000001,92806F5A), ref: 6BD8629D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: EndBufferedPaint$uxtheme.dll
                                                                          • API String ID: 2061474489-2993015961
                                                                          • Opcode ID: 2272ee0f264c0ddc65a7569f1c01cb9ea1d35538b2364bbfb849b9ded848b32c
                                                                          • Instruction ID: d6ede3c3a4399bc838517a5bac329153a3203caf745ccb1c6dadb74cef987d0c
                                                                          • Opcode Fuzzy Hash: 2272ee0f264c0ddc65a7569f1c01cb9ea1d35538b2364bbfb849b9ded848b32c
                                                                          • Instruction Fuzzy Hash: DEF01271571215FB9F112B68885DF5E7B69EB067B234108A1FC05EE220EB79D8059AF0
                                                                          Function 6BD85F4E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6BD85F60
                                                                          • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6BD85F70
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD85F79
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD85F87
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                          • API String ID: 2061474489-2498399450
                                                                          • Opcode ID: 6ed89b341b14089fea5f149a2bc644eb98dc22c47f2ef6b522bbcce02163b0c0
                                                                          • Instruction ID: eab4d03572ba4b299b55959450612052c486e7308266c8c97004f1e2914b8c2a
                                                                          • Opcode Fuzzy Hash: 6ed89b341b14089fea5f149a2bc644eb98dc22c47f2ef6b522bbcce02163b0c0
                                                                          • Instruction Fuzzy Hash: A7F08231566215AF9F212B648808A593F59EB467A63410461FD06DA224EB39C9049AF0
                                                                          Function 6BD85DD9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD695A3,?,?), ref: 6BD85DEB
                                                                          • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6BD85DFB
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD695A3,?,?), ref: 6BD85E04
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD695A3,?,?), ref: 6BD85E12
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: RegisterApplicationRestart$kernel32.dll
                                                                          • API String ID: 2061474489-1259503209
                                                                          • Opcode ID: 207f40447c98ef2a49f6d6bd10cee357de34c0c14410c490ec690aeb3f33440d
                                                                          • Instruction ID: 93262557ec6f7407e27cd2def8d4349625318a45bbf0b8d935fc4a9bc292385b
                                                                          • Opcode Fuzzy Hash: 207f40447c98ef2a49f6d6bd10cee357de34c0c14410c490ec690aeb3f33440d
                                                                          • Instruction Fuzzy Hash: ABF08971560215A7CF221BA4CC48A5A3B69FB05B673410421FD06DA220DB38C80456F4
                                                                          Function 6BD85E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD695DE,00000000), ref: 6BD85EAF
                                                                          • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6BD85EBF
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD695DE,00000000), ref: 6BD85EC8
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD695DE,00000000), ref: 6BD85ED6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: ApplicationRecoveryInProgress$kernel32.dll
                                                                          • API String ID: 2061474489-2899047487
                                                                          • Opcode ID: 6cd8b39ec22c9108904949c8621a134fee950aa634c829a5bfa423480619f7c9
                                                                          • Instruction ID: 1767909f5d5a87c5a68fc30385b9facb1c4da3afab6ebfaa5dd15786647a41f2
                                                                          • Opcode Fuzzy Hash: 6cd8b39ec22c9108904949c8621a134fee950aa634c829a5bfa423480619f7c9
                                                                          • Instruction Fuzzy Hash: 4DF0A77651531AE78F122B688C4CA1A3B68FB067A63410861FD06DA624EF7CC90456F0
                                                                          Function 6BD85EF9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD69621,00000001), ref: 6BD85F0B
                                                                          • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6BD85F1B
                                                                          • EncodePointer.KERNEL32(00000000,?,6BD69621,00000001), ref: 6BD85F24
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD69621,00000001), ref: 6BD85F32
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: ApplicationRecoveryFinished$kernel32.dll
                                                                          • API String ID: 2061474489-1962646049
                                                                          • Opcode ID: 8c65edf6be04038e2ad8d7193746d1142c4ccd29260623ca1146c2bb61ddcc98
                                                                          • Instruction ID: 658d0930ad85abcbd691e362352a2ab77c2b369129d22d926d97aae29f81f85b
                                                                          • Opcode Fuzzy Hash: 8c65edf6be04038e2ad8d7193746d1142c4ccd29260623ca1146c2bb61ddcc98
                                                                          • Instruction Fuzzy Hash: C1F0EC315262159B8F112B748808E493F59EA06BA73011870FD02D6224D738C50447F0
                                                                          Function 6BD861AA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6BD7EAEA,?,?,6BD7DD83,92806F5A,?,?,?,Function_0019BAD0,000000FF), ref: 6BD861B9
                                                                          • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6BD861C9
                                                                          • EncodePointer.KERNEL32(00000000,?,6BD7EAEA,?,?,6BD7DD83,92806F5A,?,?,?,Function_0019BAD0,000000FF), ref: 6BD861D2
                                                                          • DecodePointer.KERNEL32(00000000,?,6BD7EAEA,?,?,6BD7DD83,92806F5A,?,?,?,Function_0019BAD0,000000FF), ref: 6BD861E0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: BufferedPaintUnInit$uxtheme.dll
                                                                          • API String ID: 2061474489-1501038116
                                                                          • Opcode ID: fb53de5815fef0653a65314756b4b5c3128df1d59372d59b246f369dc713def8
                                                                          • Instruction ID: acfe03d8b75b4e4407d81bbeec8b460ab9751d75a067ea5f7f36de38c9cec155
                                                                          • Opcode Fuzzy Hash: fb53de5815fef0653a65314756b4b5c3128df1d59372d59b246f369dc713def8
                                                                          • Instruction Fuzzy Hash: 5FE09B72971622AB8F512778A85CB5D3B64EB067B23420471FC11EE226EB7CCC055BF0
                                                                          Function 6BD86155 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6BD7D938,?,?,?,?,?,?,?,?,00000008), ref: 6BD86164
                                                                          • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6BD86174
                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6BD8617D
                                                                          • DecodePointer.KERNEL32(00000000,?,6BD7D938,?,?,?,?,?,?,?,?,00000008), ref: 6BD8618B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: BufferedPaintInit$uxtheme.dll
                                                                          • API String ID: 2061474489-1331937065
                                                                          • Opcode ID: 097fa9e397d40642bb8f4dc161492bf3bb1e18f0e6f637142d5c763f90fba441
                                                                          • Instruction ID: a26d80efeef3454b1ec84cdbd7269bae6425211f1150c8413fe95bdb190894d3
                                                                          • Opcode Fuzzy Hash: 097fa9e397d40642bb8f4dc161492bf3bb1e18f0e6f637142d5c763f90fba441
                                                                          • Instruction Fuzzy Hash: 9DE06572935621ABDE112B74AC08B5D3A64AB466723420861FC01DA226DB2CCC055FF0
                                                                          Function 6BD86074 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(shell32.dll,?,6BD6FA8C,?,?,6BD71142,000FC000,00000010,00000048,6BD71321,?,?,?,?,00000000), ref: 6BD86083
                                                                          • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6BD86093
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD71142,000FC000,00000010,00000048,6BD71321,?,?,?,?,00000000,?,6BD715D1,?), ref: 6BD8609C
                                                                          • DecodePointer.KERNEL32(00000000,?,6BD6FA8C,?,?,6BD71142,000FC000,00000010,00000048,6BD71321,?,?,?,?,00000000), ref: 6BD860AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: InitNetworkAddressControl$shell32.dll
                                                                          • API String ID: 2061474489-1950653938
                                                                          • Opcode ID: 22d3ed19576d16eddb7cb4d0ae15941750efcc2f620c1561b0e0500e086c313a
                                                                          • Instruction ID: af2244574020bdbbe06934837b27a601b26788aa2c040b6c6e9289ceb10e2447
                                                                          • Opcode Fuzzy Hash: 22d3ed19576d16eddb7cb4d0ae15941750efcc2f620c1561b0e0500e086c313a
                                                                          • Instruction Fuzzy Hash: 4BE06531635521AF9E602B749809A5D3B94EB067733420871FC01DA124EB2CCC0596F4
                                                                          Function 6BD8650F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6BD8651E
                                                                          • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6BD8652E
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD86537
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD86549
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                          • String ID: TaskDialogIndirect$comctl32.dll
                                                                          • API String ID: 2061474489-2809879075
                                                                          • Opcode ID: aa777734656077133727635c7a0cbe3100e48120de2d759f1eb511d523542435
                                                                          • Instruction ID: 200391cbf775d76ea84edb3b3d96cc33a8b7bc56289ff954071dd4d652d67faf
                                                                          • Opcode Fuzzy Hash: aa777734656077133727635c7a0cbe3100e48120de2d759f1eb511d523542435
                                                                          • Instruction Fuzzy Hash: A2E048765352129B5B506B78590DE5A3B95DB066B33025CB1FC01DE124EB3CC90856B0
                                                                          Function 6BEB1D5E Relevance: 9.3, APIs: 6, Instructions: 295COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __allrem.LIBCMT ref: 6BEB1EF1
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BEB1F0D
                                                                          • __allrem.LIBCMT ref: 6BEB1F24
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BEB1F42
                                                                          • __allrem.LIBCMT ref: 6BEB1F59
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BEB1F77
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                          • String ID:
                                                                          • API String ID: 1992179935-0
                                                                          • Opcode ID: 9af276dc0645ca92519e6948e65a883e50e022296454d40348eae6be2d3a3f08
                                                                          • Instruction ID: 2d0f3a7388b857981a36c8942daf049b19bc8d06a444b907a8587d4f809aae6c
                                                                          • Opcode Fuzzy Hash: 9af276dc0645ca92519e6948e65a883e50e022296454d40348eae6be2d3a3f08
                                                                          • Instruction Fuzzy Hash: C9910472A14725ABE7209FB9DE81B9A73A9AF45778F30412EE410D73C0E778D901C792
                                                                          Function 6BDA1E40 Relevance: 9.3, APIs: 6, Instructions: 293windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BDA1F70
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDA1F84
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA1FAD
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BDA1FC1
                                                                            • Part of subcall function 6BD6A828: GetParent.USER32(?), ref: 6BD6A832
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BDA2023
                                                                          • GetFocus.USER32 ref: 6BDA214A
                                                                            • Part of subcall function 6BDC7BAA: __EH_prolog3_GS.LIBCMT ref: 6BDC7BB4
                                                                            • Part of subcall function 6BDC7BAA: GetWindowRect.USER32(?,?), ref: 6BDC7C48
                                                                            • Part of subcall function 6BDC7BAA: SetRect.USER32(?,00000000,00000000,?,?), ref: 6BDC7C69
                                                                            • Part of subcall function 6BDC7BAA: CreateCompatibleDC.GDI32(?), ref: 6BDC7C75
                                                                            • Part of subcall function 6BDC7BAA: CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6BDC7C9F
                                                                            • Part of subcall function 6BDC7BAA: GetWindowRect.USER32(?,?), ref: 6BDC7CF4
                                                                            • Part of subcall function 6BDC7BAA: GetClientRect.USER32(?,?), ref: 6BDC7D01
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
                                                                          • String ID:
                                                                          • API String ID: 2914356772-0
                                                                          • Opcode ID: 85bdcde879e209b9e0c3dcda71fdef49c0595e7495e6ba8fb4f1c8fddd1089a3
                                                                          • Instruction ID: 419db43175e216a6a2c5ffaf5aa73753fc6d8e6a354f65a7b444e5f6c391175e
                                                                          • Opcode Fuzzy Hash: 85bdcde879e209b9e0c3dcda71fdef49c0595e7495e6ba8fb4f1c8fddd1089a3
                                                                          • Instruction Fuzzy Hash: DBA1D131A10616DFDB149F76C895AAE7BB5BF49328F0000BAD915EF350DF389901DBA0
                                                                          Function 03AE59E9 Relevance: 9.2, APIs: 6, Instructions: 232timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 03AE5A3C
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5C36
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5C57
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5ADB
                                                                            • Part of subcall function 03AE1257: __CxxThrowException@8.LIBCMT ref: 03AE1267
                                                                            • Part of subcall function 03AE1257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 03AE1278
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE5CC8
                                                                          • timeGetTime.WINMM ref: 03AE5CCE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                          • String ID:
                                                                          • API String ID: 2093779962-0
                                                                          • Opcode ID: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                          • Instruction ID: 57a094a6d51646c6c6f2d31f847f45a92955b8df091583526fed2244ce9a06f9
                                                                          • Opcode Fuzzy Hash: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                          • Instruction Fuzzy Hash: 74A116B0A01A56AFE314DF6AC9C4796FBE8FB09304F54462ED12DCB640D774A964CF90
                                                                          Function 6BDA04E4 Relevance: 9.2, APIs: 6, Instructions: 229windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 6BDA04F3
                                                                            • Part of subcall function 6BD60447: __EH_prolog3.LIBCMT ref: 6BD6044E
                                                                          • GetClientRect.USER32(?,?), ref: 6BDA0535
                                                                            • Part of subcall function 6BD63B11: ClientToScreen.USER32(?,6BD9D900), ref: 6BD63B20
                                                                            • Part of subcall function 6BD63B11: ClientToScreen.USER32(?,6BD9D908), ref: 6BD63B2D
                                                                          • IsWindowVisible.USER32(?), ref: 6BDA076E
                                                                          • SetTimer.USER32(00000000,0000EC15,00000000), ref: 6BDA0791
                                                                          • InvalidateRect.USER32(?,00000000,00000001,6BF37B18,00000000,00000000,00000000,00000000,00000053), ref: 6BDA0800
                                                                          • UpdateWindow.USER32(?), ref: 6BDA0809
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Client$RectScreenWindow$CursorH_prolog3InvalidateLoadTimerUpdateVisible
                                                                          • String ID:
                                                                          • API String ID: 3378768144-0
                                                                          • Opcode ID: 7c8136b49f6be8e4818caf5dfea1cbab959fcf8e8b2c64c8bd46bd62d25180bc
                                                                          • Instruction ID: 97c3a7be97602631f168c79bf0c31df728a5986bae811c195fa0458941ed03aa
                                                                          • Opcode Fuzzy Hash: 7c8136b49f6be8e4818caf5dfea1cbab959fcf8e8b2c64c8bd46bd62d25180bc
                                                                          • Instruction Fuzzy Hash: 21A15570A10205DFDF14DF24C994BAD3BB1AF48364F1801BAEC19AF295DB78A944DBA0
                                                                          Function 03AE59F7 Relevance: 9.2, APIs: 6, Instructions: 227timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 03AE5A3C
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5C36
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5C57
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 03AE5ADB
                                                                            • Part of subcall function 03AE1257: __CxxThrowException@8.LIBCMT ref: 03AE1267
                                                                            • Part of subcall function 03AE1257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 03AE1278
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE5CC8
                                                                          • timeGetTime.WINMM ref: 03AE5CCE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                          • String ID:
                                                                          • API String ID: 2093779962-0
                                                                          • Opcode ID: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                          • Instruction ID: f5f3533cee9a547b271b94bcb9aceccfdab123a0c9a376226acd440b7c39a9f2
                                                                          • Opcode Fuzzy Hash: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                          • Instruction Fuzzy Hash: 29A116B0A01A56AFE314DF6AC9C4696FBE8FB09304F80862ED12DC7640D774A964CF90
                                                                          Function 6BD78E3F Relevance: 9.2, APIs: 6, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD78E87
                                                                          • EqualRect.USER32(?,00000000), ref: 6BD78EA5
                                                                            • Part of subcall function 6BD7B9D8: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6BD7906B,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6BD7BA00
                                                                          • GetDlgCtrlID.USER32(?), ref: 6BD78F51
                                                                          • CopyRect.USER32(?,00000000), ref: 6BD78F8D
                                                                          • GetParent.USER32(?), ref: 6BD7906E
                                                                          • SetParent.USER32(?,?), ref: 6BD79084
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ParentWindow$CopyCtrlEqual
                                                                          • String ID:
                                                                          • API String ID: 1662903855-0
                                                                          • Opcode ID: 91c3b2d8863fd357e4756f8ed7239671d04965107a9161fea70aa85cc7809e0d
                                                                          • Instruction ID: d2e887c90fb7268af3dfad0c950382efd271eaef4a2e364a48bee543e18e4162
                                                                          • Opcode Fuzzy Hash: 91c3b2d8863fd357e4756f8ed7239671d04965107a9161fea70aa85cc7809e0d
                                                                          • Instruction Fuzzy Hash: 9261A871A51619ABDF24DF74CC89BEAB775FF45324F0001B9E819DB151C7389A44CB60
                                                                          Function 6BDA802A Relevance: 9.2, APIs: 6, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6BDA8071
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6BDA80DC
                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BDA80F9
                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6BDA8138
                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6BDA8197
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6BDA81BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiStringWide
                                                                          • String ID:
                                                                          • API String ID: 2829165498-0
                                                                          • Opcode ID: fa1bea591277926b27ce31881dbc5ac8bdce989a3ca824dddc554ebbc665a373
                                                                          • Instruction ID: 04cbba2eaf786b9752f4d74ca827ca1fe529b50e0868722176cff3566f55d38a
                                                                          • Opcode Fuzzy Hash: fa1bea591277926b27ce31881dbc5ac8bdce989a3ca824dddc554ebbc665a373
                                                                          • Instruction Fuzzy Hash: 52519F72A10286EFEF104F64CC45FAB3FA9EF41764F214469FD24AE190D77AC9149B60
                                                                          Function 6BD90BB6 Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(00000000), ref: 6BD90C44
                                                                          • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6BD90C80
                                                                          • SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6BD90CB3
                                                                          • SetRectEmpty.USER32(?), ref: 6BD90D19
                                                                          • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6BD90D75
                                                                          • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6BD90DA4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$EmptyParentRectRedrawWindow
                                                                          • String ID:
                                                                          • API String ID: 3879113052-0
                                                                          • Opcode ID: a9ddfbeaf00c0103f78d6916dc1c8e7c65c729fe0dd37671e074223450f93feb
                                                                          • Instruction ID: 0073c155ca5098dae0354acedb5f4e2d84c87eaa51a141a2b67d605b3b9331a4
                                                                          • Opcode Fuzzy Hash: a9ddfbeaf00c0103f78d6916dc1c8e7c65c729fe0dd37671e074223450f93feb
                                                                          • Instruction Fuzzy Hash: 5C519174A10619DFDB28EF74D894BAEBBB5FF48714F11416EE815AB291DB34A900CF80
                                                                          Function 6BD95F94 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CallNextHookEx.USER32(00000000,?,?), ref: 6BD95FAF
                                                                          • WindowFromPoint.USER32(?,?), ref: 6BD95FD9
                                                                          • ScreenToClient.USER32(00000020,00000200), ref: 6BD9600F
                                                                          • GetParent.USER32(00000020), ref: 6BD96076
                                                                          • UpdateWindow.USER32(?), ref: 6BD960DC
                                                                          • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 6BD9615A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CallClientFromHookMessageNextParentPointScreenSendUpdate
                                                                          • String ID:
                                                                          • API String ID: 4074787488-0
                                                                          • Opcode ID: d37a675c43ee7fd0ebf76b3ce2a144db4d1acb8ba2a7fa61575fba97612f4bc1
                                                                          • Instruction ID: a6b0f2063f2bfaeb1d8176a5e35aa64184ea5ecf383ec749b0c072d95b205c48
                                                                          • Opcode Fuzzy Hash: d37a675c43ee7fd0ebf76b3ce2a144db4d1acb8ba2a7fa61575fba97612f4bc1
                                                                          • Instruction Fuzzy Hash: 5C51EE39610205EFEF14AF64D885F6D7BB6FF48360F104079E9299B2A1DB39DA01DB90
                                                                          Function 6BD7214D Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD721D2
                                                                          • IsWindow.USER32(?), ref: 6BD7224D
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD7225E
                                                                          • IsWindow.USER32(?), ref: 6BD7227C
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD722AC
                                                                          • SendMessageW.USER32(?,0000020A,?,?), ref: 6BD7230A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientMessageScreenSendWindow
                                                                          • String ID:
                                                                          • API String ID: 2093367132-0
                                                                          • Opcode ID: d048220f8f6295e0ab1e61641680e61636258c45d260ead1d7b5e94b83a4242e
                                                                          • Instruction ID: 532f952041122d5b3cdb5e11cf1b6bbbbb417d7652df14da8603f254837ae0b9
                                                                          • Opcode Fuzzy Hash: d048220f8f6295e0ab1e61641680e61636258c45d260ead1d7b5e94b83a4242e
                                                                          • Instruction Fuzzy Hash: 9C41E431510A82FBDB316F74CD45BBA7AA4FB07738F1009B8E965DD4A0E729C640E710
                                                                          Function 6BD67DC8 Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 6BD67E6E
                                                                          • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6BD67E7F
                                                                          • SendMessageW.USER32(?,0000043C,00000001,00000000), ref: 6BD67E93
                                                                          • SendMessageW.USER32(?,0000043C,00000000,00000000), ref: 6BD67EA4
                                                                          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6BD67EB3
                                                                          • InvalidateRect.USER32(?,00000000,00000001,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6BD67850), ref: 6BD67F46
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$InvalidateLongRectWindow
                                                                          • String ID:
                                                                          • API String ID: 74886174-0
                                                                          • Opcode ID: 465ff76c2319f605496d27dc7a68b99ead9e748103eab3b49328402f931e0676
                                                                          • Instruction ID: be8ebc244cc368a2fa40f95adf63b33b844a91ab494cda62bbffd54c3484d4b6
                                                                          • Opcode Fuzzy Hash: 465ff76c2319f605496d27dc7a68b99ead9e748103eab3b49328402f931e0676
                                                                          • Instruction Fuzzy Hash: C7419D35710618BBDF119B60CC96FEE7B66FF49760F040065FA05AF291EBB0A945CBA0
                                                                          Function 03AE5287 Relevance: 9.1, APIs: 6, Instructions: 123registrysleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 03AE5359
                                                                          • RegDeleteValueW.ADVAPI32(?,10017568), ref: 03AE5369
                                                                          • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 03AE5387
                                                                          • RegCloseKey.ADVAPI32(?), ref: 03AE5392
                                                                          • GetExitCodeProcess.KERNEL32(00000000,?), ref: 03AE53F2
                                                                          • Sleep.KERNEL32(00000BB8), ref: 03AE540B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                          • String ID:
                                                                          • API String ID: 4289506047-0
                                                                          • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                          • Instruction ID: 6f9b299255377d78c8e21ed64d06374c91a55645fe622cf58dabbd45ce503b43
                                                                          • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                          • Instruction Fuzzy Hash: D0411331E483429BE315CB70AC64F7ABBB6AB47308F5C459EE5C59B182E3B0D441CBA1
                                                                          Function 03AE5037 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 03AE5081
                                                                          • WSASetLastError.WS2_32(0000139F,?,?,?,?,100191B0,?,?,10014228,000000FF), ref: 03AE5099
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE50A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeave
                                                                          • String ID:
                                                                          • API String ID: 4082018349-0
                                                                          • Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                          • Instruction ID: 5e06e733d1524e991d4b6f893a73b8d69f30daff48f82451d9c482b9d2734641
                                                                          • Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                          • Instruction Fuzzy Hash: 34318C76A04744AFE710DF94DD85B6AB3E8EB4A715F008A1EF906CB780D736E800CB90
                                                                          Function 6BDA28F2 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA2911
                                                                          • ReleaseCapture.USER32 ref: 6BDA291F
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA2974
                                                                          • InvalidateRect.USER32(?,?,00000001,?,?,?,6BDA1A6F,00000000,00000000,00000000), ref: 6BDA29DE
                                                                          • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6BDA2A02
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$CaptureInvalidateReleaseTimer
                                                                          • String ID:
                                                                          • API String ID: 2903485716-0
                                                                          • Opcode ID: 354b5a162d69245b2bba494a13ec7ba3c06d138977260affdc3c9ce0db17796b
                                                                          • Instruction ID: 187677bb4a09af12b12302553d1e5cdd76f2239bbd816965e7b411ac806ed2a8
                                                                          • Opcode Fuzzy Hash: 354b5a162d69245b2bba494a13ec7ba3c06d138977260affdc3c9ce0db17796b
                                                                          • Instruction Fuzzy Hash: 2731B13174464BEFDF144F32CD84BAABB65FF49725F000576E9698A1A0DB34A820EB91
                                                                          Function 03AE52B0 Relevance: 9.1, APIs: 6, Instructions: 84registrysleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 03AE5359
                                                                          • RegDeleteValueW.ADVAPI32(?,10017568), ref: 03AE5369
                                                                          • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 03AE5387
                                                                          • RegCloseKey.ADVAPI32(?), ref: 03AE5392
                                                                          • GetExitCodeProcess.KERNEL32(00000000,?), ref: 03AE53F2
                                                                          • Sleep.KERNEL32(00000BB8), ref: 03AE540B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                          • String ID:
                                                                          • API String ID: 4289506047-0
                                                                          • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                          • Instruction ID: 2b09105e73ce1cd147217c33c217acc16385753217694e15033a869d5de93d3f
                                                                          • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                          • Instruction Fuzzy Hash: E931CD30A483829FE725CF309864F79BBB6AB4A308F5C489EE1859B142C3B0D481CB61
                                                                          Function 6BD7E97D Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7E984
                                                                          • CreateRectRgnIndirect.GDI32(00000000), ref: 6BD7E9A4
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD634FA
                                                                            • Part of subcall function 6BD634DA: SelectClipRgn.GDI32(?,00000000), ref: 6BD63510
                                                                          • GetParent.USER32(00000000), ref: 6BD7E9C4
                                                                          • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6BD7E9E5
                                                                          • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6BD7EA19
                                                                          • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6BD7EA45
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
                                                                          • String ID:
                                                                          • API String ID: 935984306-0
                                                                          • Opcode ID: ee979afac8a168d939ac0ce0227a76677869a6bc0a4772f91e1162fdd6968aa0
                                                                          • Instruction ID: 0e4d48a7da8a3d953ea519762d2af6338b00da374dc11c3e279c392de9e7fdc2
                                                                          • Opcode Fuzzy Hash: ee979afac8a168d939ac0ce0227a76677869a6bc0a4772f91e1162fdd6968aa0
                                                                          • Instruction Fuzzy Hash: 63316171A1020AEFCF11DFA4C946BEE7BB4FF08350F004468E915AF160DB399A04CB60
                                                                          Function 6BD6874B Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD8447D
                                                                            • Part of subcall function 6BD63A38: __EH_prolog3.LIBCMT ref: 6BD63A3F
                                                                            • Part of subcall function 6BD63A38: GetWindowDC.USER32(00000000,00000004,6BD7DFDA,00000000), ref: 6BD63A6B
                                                                          • GetClientRect.USER32(?,?), ref: 6BD8449F
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD844B3
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA1), ref: 6BD63B5F
                                                                            • Part of subcall function 6BD63B50: ScreenToClient.USER32(?,6BD78FA9), ref: 6BD63B6C
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BD844D4
                                                                            • Part of subcall function 6BD6351D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6BD63554
                                                                            • Part of subcall function 6BD6351D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6BD63571
                                                                          • OffsetRect.USER32(?,?,?), ref: 6BD844F6
                                                                            • Part of subcall function 6BD6357E: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6BD635B5
                                                                            • Part of subcall function 6BD6357E: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6BD635D2
                                                                          • SendMessageW.USER32(?,00000014,?,00000000), ref: 6BD8452E
                                                                            • Part of subcall function 6BD63A8D: ReleaseDC.USER32(?,00000000), ref: 6BD63AC1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
                                                                          • String ID:
                                                                          • API String ID: 3860140383-0
                                                                          • Opcode ID: 16a35e22389110765d7ad799ec44f31de300df5e0b3df295325385f5c2bc8464
                                                                          • Instruction ID: 403c5c76f022db990876486cfc25691868e06ed21641aa289c602825e6eb7cf1
                                                                          • Opcode Fuzzy Hash: 16a35e22389110765d7ad799ec44f31de300df5e0b3df295325385f5c2bc8464
                                                                          • Instruction Fuzzy Hash: 6A310771A1011DAFCF15DBA4CD95EFDB7B9FF59314F140219E402E7250EB28AA09CB60
                                                                          Function 6BD76FE0 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 6BD77018
                                                                          • GetParent.USER32(?), ref: 6BD77026
                                                                          • GetParent.USER32(?), ref: 6BD7703D
                                                                          • GetLastActivePopup.USER32(?), ref: 6BD77050
                                                                          • IsWindowEnabled.USER32(?), ref: 6BD77064
                                                                          • EnableWindow.USER32(?,00000000), ref: 6BD77077
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                          • String ID:
                                                                          • API String ID: 670545878-0
                                                                          • Opcode ID: 5f4d07b3cbd7fd0b635df09e55ab41787aac9260e8dced5dbeceacbed8b49f55
                                                                          • Instruction ID: 02debf01c117caf46e7d2761c053c82c9b41bea9fd8dc84dc2e9b6440774cc19
                                                                          • Opcode Fuzzy Hash: 5f4d07b3cbd7fd0b635df09e55ab41787aac9260e8dced5dbeceacbed8b49f55
                                                                          • Instruction Fuzzy Hash: F2119332A45630FBDB326B698884BDA77B8EF16B71B020DB4EC14EF244DB68DC0156D0
                                                                          Function 6BDEEA05 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEA9A
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEAB0
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEABB
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEAC6
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEAD1
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BDEEADC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ContextExternal$BaseBase::~Concurrency::details::
                                                                          • String ID:
                                                                          • API String ID: 1690591649-0
                                                                          • Opcode ID: bfa4b0b7a1459a0ec6926bdd8b422a6a5b7370ef3b1078dda48db98ffcc7c001
                                                                          • Instruction ID: eae653a83c16dc49c75089a47e183e0e0b26341a0fee47fc584a3b0147a7e12b
                                                                          • Opcode Fuzzy Hash: bfa4b0b7a1459a0ec6926bdd8b422a6a5b7370ef3b1078dda48db98ffcc7c001
                                                                          • Instruction Fuzzy Hash: DE216272304915ABCB4CEF74C8A1BADF765FF51724F60062DC4264B280DF786A16CBA5
                                                                          Function 6BEB7CFC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000001,?,6BEA24B6,6BD603DB,6BEA1AF5,?,00000007,6BF2F598,00000010,6BEA1B18,?,?,6BEA1BA1,?,00000001,?), ref: 6BEB7D0A
                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6BEB7D18
                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6BEB7D31
                                                                          • SetLastError.KERNEL32(00000000,00000007,6BF2F598,00000010,6BEA1B18,?,?,6BEA1BA1,?,00000001,?,?,00000001,?,6BF2F5C0,0000000C), ref: 6BEB7D83
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastValue___vcrt_
                                                                          • String ID:
                                                                          • API String ID: 3852720340-0
                                                                          • Opcode ID: 3202e2e873518766dab48b708253a0c43fbfd5749aa774a6851cf2708f703c0f
                                                                          • Instruction ID: 6335aba93950aebd503c2769ac18eb2dd946045ee0fe91ee9d805425df191bd2
                                                                          • Opcode Fuzzy Hash: 3202e2e873518766dab48b708253a0c43fbfd5749aa774a6851cf2708f703c0f
                                                                          • Instruction Fuzzy Hash: 9301F53251E2225EDA2117799F46A673766DF037F9730032DF121469E0EB798D1591D0
                                                                          Function 6BEB85EF Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • type_info::operator==.LIBVCRUNTIME ref: 6BEB870E
                                                                          • CallUnexpected.LIBVCRUNTIME ref: 6BEB8987
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CallUnexpectedtype_info::operator==
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 2673424686-393685449
                                                                          • Opcode ID: e41f636327b725f5a2b11ca466c6f43edc8de1c22f5b583e056db20a2a430693
                                                                          • Instruction ID: a3f624df2a971cc2638f4569e06ebb32a8458333303d224abf327b53a88635c5
                                                                          • Opcode Fuzzy Hash: e41f636327b725f5a2b11ca466c6f43edc8de1c22f5b583e056db20a2a430693
                                                                          • Instruction Fuzzy Hash: 75B14971D0021AEFCF15CFA4CA8199EBBB5BF04318B60419EE814AB715D739DA61CF92
                                                                          Function 6BD7FDFD Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(?,?), ref: 6BD7FE16
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 6BD7FE21
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6BD7FE31
                                                                          • GetWindowRect.USER32(00000000,?), ref: 6BD7FE4A
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD7FE5A
                                                                          • GetWindow.USER32(?,00000005), ref: 6BD7FE67
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rect$ClientCtrlLongScreen
                                                                          • String ID:
                                                                          • API String ID: 1315500227-0
                                                                          • Opcode ID: c76068ea0d25f0fd894d0dae7df6757278caefb8ef9ae1abfa0ee775c6797c33
                                                                          • Instruction ID: 3d8eae8dcd98b7337ed2ea92c09e5a587d311bfcc2e686357e171f448b993803
                                                                          • Opcode Fuzzy Hash: c76068ea0d25f0fd894d0dae7df6757278caefb8ef9ae1abfa0ee775c6797c33
                                                                          • Instruction Fuzzy Hash: 7B018B30911669EBCB21EF648809BEF7768EF06714F814231F801EA090DB38DA488BA4
                                                                          Function 6BD901F2 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_catch.LIBCMT ref: 6BD901FC
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlH_prolog3H_prolog3_catch
                                                                          • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
                                                                          • API String ID: 905329913-3577816979
                                                                          • Opcode ID: 8c4f34c584422d51e85d63467f5daea27d71a866bbc4773533fc97c1e278283a
                                                                          • Instruction ID: fecddbe63dc5a7c7acbe77cf26538dc9ad45981ceb77141b2a4f6c7fe7b3ab9b
                                                                          • Opcode Fuzzy Hash: 8c4f34c584422d51e85d63467f5daea27d71a866bbc4773533fc97c1e278283a
                                                                          • Instruction Fuzzy Hash: E9919035A00209DFCF10EFA4D994AEDB7B6BF48324F144068E415AB3A1DB38AE05CF61
                                                                          Function 6BDE4239 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE4240
                                                                          • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6BDE4396
                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 6BDE43A8
                                                                          • DeleteObject.GDI32(00000000), ref: 6BDE4400
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$DeleteH_prolog3ImageLoad
                                                                          • String ID: \~k
                                                                          • API String ID: 91933946-1199159271
                                                                          • Opcode ID: bdc3b2eb9c6c9d6db29c09b7c9ae43e8bcdaa1cc090a6c3974c3299756374dcc
                                                                          • Instruction ID: 71ee0af329feadae84f72f02724e46d99562db1175904cb9224a8b5cdf138bfb
                                                                          • Opcode Fuzzy Hash: bdc3b2eb9c6c9d6db29c09b7c9ae43e8bcdaa1cc090a6c3974c3299756374dcc
                                                                          • Instruction Fuzzy Hash: B861BE31900615CBDF11DF64C881BAE77B5BF45320F1082A9EC65AF296DB789A46CFB0
                                                                          Function 6BDE6C75 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137registryclipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE6C7C
                                                                          • RegisterClipboardFormatW.USER32(00000010), ref: 6BDE6CC6
                                                                          • __EH_prolog3_catch.LIBCMT ref: 6BDE6CFB
                                                                            • Part of subcall function 6BDA39EC: __EH_prolog3.LIBCMT ref: 6BDA39F3
                                                                          • __EH_prolog3_catch.LIBCMT ref: 6BDE6E4A
                                                                            • Part of subcall function 6BD7F248: __EH_prolog3_catch.LIBCMT ref: 6BD7F24F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3_catch$H_prolog3$ClipboardFormatRegister
                                                                          • String ID: ToolbarButton%p
                                                                          • API String ID: 3051953459-899657487
                                                                          • Opcode ID: 29c270b3f91ca2ec134758ad1d7b7d829d0041a18ec3420750c847bdabcc40bd
                                                                          • Instruction ID: 817bb2456ddb77473740d223b6794a1f146720f13c0577d755bd7ac104a0487c
                                                                          • Opcode Fuzzy Hash: 29c270b3f91ca2ec134758ad1d7b7d829d0041a18ec3420750c847bdabcc40bd
                                                                          • Instruction Fuzzy Hash: 4341F575A10215DBCF20ABB4C845BAE7775EF85B28F004468E916AF280DF3CDA46C7B0
                                                                          Function 6BD6CE20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000433,00000000,?), ref: 6BD6CEFA
                                                                          • GetWindowLongW.USER32(?,000000FC), ref: 6BD6CF05
                                                                          • GetWindowLongW.USER32(?,000000FC), ref: 6BD6CF19
                                                                          • SetWindowLongW.USER32(?,000000FC,00000000), ref: 6BD6CF42
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$MessageSend
                                                                          • String ID: ,
                                                                          • API String ID: 2178440468-3772416878
                                                                          • Opcode ID: aa95380bfb17bd5f25b22a0b2b07d252bab8f65bc041f422b89d25430d31c44e
                                                                          • Instruction ID: c587242be938a5e387c9359251d51a013fee6f34bcea48323b12eab4447ff4b6
                                                                          • Opcode Fuzzy Hash: aa95380bfb17bd5f25b22a0b2b07d252bab8f65bc041f422b89d25430d31c44e
                                                                          • Instruction Fuzzy Hash: 4141F131A11619DFCF11AF74C894A5E7BB1BF08760F0401B9D8529B292EB38ED10CB90
                                                                          Function 6BD98B9A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD98BA1
                                                                          • IsWindow.USER32(?), ref: 6BD98C49
                                                                          • GetParent.USER32(?), ref: 6BD98C69
                                                                          • GetParent.USER32(?), ref: 6BD98C85
                                                                            • Part of subcall function 6BDDEDBA: __EH_prolog3_catch_GS.LIBCMT ref: 6BDDEDC1
                                                                            • Part of subcall function 6BDDEDBA: CreateCompatibleDC.GDI32(00000000), ref: 6BDDEE01
                                                                            • Part of subcall function 6BDDEDBA: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6BDDEE23
                                                                            • Part of subcall function 6BDDEDBA: FillRect.USER32(?,?,?), ref: 6BDDEE6D
                                                                            • Part of subcall function 6BDDEDBA: OpenClipboard.USER32(?), ref: 6BDDEE9D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CompatibleCreateParent$BitmapClipboardFillH_prolog3H_prolog3_catch_OpenRectWindow
                                                                          • String ID: L~k
                                                                          • API String ID: 837828968-1152365948
                                                                          • Opcode ID: 35dc1b3cd0882dafb54fa57fecc5a20200ffde5fa8a1ce8ccb37bee6f5530217
                                                                          • Instruction ID: 6619ce4feadff263ee7f39c7bca4a9908414cf038985a37a07055ff50ac67fef
                                                                          • Opcode Fuzzy Hash: 35dc1b3cd0882dafb54fa57fecc5a20200ffde5fa8a1ce8ccb37bee6f5530217
                                                                          • Instruction Fuzzy Hash: 27313876505601EFDB24BB74DD42A5A73F9AF44AB9B10083DE415CF4A0EB3EE9008B60
                                                                          Function 6BD7402F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD74039
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • swprintf.LIBCMT ref: 6BD7408E
                                                                          • swprintf.LIBCMT ref: 6BD74132
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: swprintf$H_prolog3_LongWindow
                                                                          • String ID: - $:%d
                                                                          • API String ID: 524023746-2359489159
                                                                          • Opcode ID: 26851c8a9bd13eb1e2aa1f7c40ace2aa86349486bab2079590edd600603cd952
                                                                          • Instruction ID: 18e4083c757429ec9e9bcd91d7296a0b4be6cb974a68059bc1171c10c51e307a
                                                                          • Opcode Fuzzy Hash: 26851c8a9bd13eb1e2aa1f7c40ace2aa86349486bab2079590edd600603cd952
                                                                          • Instruction Fuzzy Hash: DE316472901115ABDB25E7B0CD52FEFB36CAF14268F0004A5E519AF192EB39AB45CF60
                                                                          Function 6BD7ECE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: String$FreeH_prolog3
                                                                          • String ID: @
                                                                          • API String ID: 315669285-2766056989
                                                                          • Opcode ID: 37e39e9b3c6e7005c34f52cd80731ac2ba1ebd58245435df38b0d75b1478cf6c
                                                                          • Instruction ID: a18d885e89efa41fd415283c33ca03a06da2929fd20f34826bb8eaf6dd7352d7
                                                                          • Opcode Fuzzy Hash: 37e39e9b3c6e7005c34f52cd80731ac2ba1ebd58245435df38b0d75b1478cf6c
                                                                          • Instruction Fuzzy Hash: 91316D7191014AABDF15DFA8CC85EEE7B79EF04324F100129F929AA290DB398A159B60
                                                                          Function 6BDE9BD8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE9BDF
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3$Ctrl
                                                                          • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
                                                                          • API String ID: 3879667756-2169875744
                                                                          • Opcode ID: 3dbf8bbed2a6f0dc2fee85436758335b3b958a10e30da9f0a01f523e145bc784
                                                                          • Instruction ID: a6e0fde79fe7ffda1d89e0c3b5b17223bf19c3b115a67ed36925a8aa533d9066
                                                                          • Opcode Fuzzy Hash: 3dbf8bbed2a6f0dc2fee85436758335b3b958a10e30da9f0a01f523e145bc784
                                                                          • Instruction Fuzzy Hash: 7B31B476A00209DBCF10EFB4CC95ABEB776BF85324F040568D4126B391CB39AA16CB71
                                                                          Function 6BDE9AC4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDE9ACB
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3$Ctrl
                                                                          • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
                                                                          • API String ID: 3879667756-2169875744
                                                                          • Opcode ID: 2e07f511770b19ebb4cecf5180f99aee6afc2ae91f0a767afa3ba5fffd514f55
                                                                          • Instruction ID: 4f187d1f3d223b953a3122ac3606bf3b66de08cfbc46d0585732964f00eb9461
                                                                          • Opcode Fuzzy Hash: 2e07f511770b19ebb4cecf5180f99aee6afc2ae91f0a767afa3ba5fffd514f55
                                                                          • Instruction Fuzzy Hash: 1931A371A002099BCF00DFA4C891EFEB7B5BF49324F140568E811AB391DB39AE05CB70
                                                                          Function 6BEA47ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • C:\Users\Public\Bilite\Axialis\Update.exe, xrefs: 6BEA4809
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: C:\Users\Public\Bilite\Axialis\Update.exe
                                                                          • API String ID: 0-3977776465
                                                                          • Opcode ID: 0bfb4862a12684d2f0be5cf2871abc3af7c0e531287cf9dc414ca2c707cd4ef1
                                                                          • Instruction ID: e35f93d32635631a2cd4ca75f5b9e8ba6256a0aaed0382baaeb4e2e8fe491e16
                                                                          • Opcode Fuzzy Hash: 0bfb4862a12684d2f0be5cf2871abc3af7c0e531287cf9dc414ca2c707cd4ef1
                                                                          • Instruction Fuzzy Hash: CF21CF31A04245AF9B109F75E88181BB7FCFF41768731452AF915DF250EFB8E81187A0
                                                                          Function 6BD8689A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,92806F5A,?,?,?,Function_0019BAD0,000000FF), ref: 6BD868E1
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6BD868F1
                                                                            • Part of subcall function 6BD7B29C: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6BD7B2AF
                                                                            • Part of subcall function 6BD7B29C: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6BD7B2BF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                          • API String ID: 1646373207-2191092095
                                                                          • Opcode ID: 2522e2993794e267efc6c00cd48d0ed766e78ce1e2fd1fdb177eedc0bb10d707
                                                                          • Instruction ID: e75f9f2cb9948e7edeb97495b1471ed87157513feef62ea076fffb816c2e406b
                                                                          • Opcode Fuzzy Hash: 2522e2993794e267efc6c00cd48d0ed766e78ce1e2fd1fdb177eedc0bb10d707
                                                                          • Instruction Fuzzy Hash: 4111B23A524108FFDF11AF19C804B49BB66FB0AB31F004565E815EB2A0DB7AE814DBD0
                                                                          Function 6BD89CCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD89CD6
                                                                          • GetClassNameW.USER32(?,00000000,00000400), ref: 6BD89D07
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 6BD89D40
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClassH_prolog3LongNameWindow
                                                                          • String ID: ComboBox$ComboBoxEx32
                                                                          • API String ID: 297531199-1907415764
                                                                          • Opcode ID: 2b73d8d51a1974fc44c40ed51424eae561abebce262ee2abd820d7db0419fd29
                                                                          • Instruction ID: 2e6113274d1fb65c7fecfc6e74794de4771ca31c00571e4864a2d2fcda5459eb
                                                                          • Opcode Fuzzy Hash: 2b73d8d51a1974fc44c40ed51424eae561abebce262ee2abd820d7db0419fd29
                                                                          • Instruction Fuzzy Hash: 5801AD328241229BDB10EBB0CD51BEEB324BF21379F201928D5246A0E1DF3DA615CB78
                                                                          Function 00021D6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00021D85
                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00021D92
                                                                          • _CxxThrowException.VCRUNTIME140(?,000227B4), ref: 00021E99
                                                                          • _CxxThrowException.VCRUNTIME140(?,00022808), ref: 00021EB6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionThrow$_callnewhmalloc
                                                                          • String ID: Unknown exception
                                                                          • API String ID: 4113974480-410509341
                                                                          • Opcode ID: 7216ff27f89032d51d37947722a498acd5c1f3340bbac43742d36af2aa278916
                                                                          • Instruction ID: 34ea3eba9eef833c5ccff8e1da481786c30d4933ec5c305fe325c2b5421cf819
                                                                          • Opcode Fuzzy Hash: 7216ff27f89032d51d37947722a498acd5c1f3340bbac43742d36af2aa278916
                                                                          • Instruction Fuzzy Hash: 5CF0AF3490422DB6CF54BAE8FD069ED77AC5B30350BA08575F92896093EB71EA5AC5C0
                                                                          Function 6BD862C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD862FC
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6BD862E5
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD862EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmDefWindowProc$dwmapi.dll
                                                                          • API String ID: 1102202064-234806475
                                                                          • Opcode ID: 26b31881e47f199ad373a12d916ed3c622376c9f50646d6e7297989363b6c592
                                                                          • Instruction ID: 607df0df41ea5a02f5b5888e1bb1bbaf8c5fdcf0143dcc41d9a9045fd376a42f
                                                                          • Opcode Fuzzy Hash: 26b31881e47f199ad373a12d916ed3c622376c9f50646d6e7297989363b6c592
                                                                          • Instruction Fuzzy Hash: B3F09032925616EB8F116FB4DC04A5E3F69EB097B27040820FC04DA220EB79C910DFB0
                                                                          Function 6BD86387 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD863C0
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6BD863A9
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD863B2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmSetWindowAttribute$dwmapi.dll
                                                                          • API String ID: 1102202064-3105884578
                                                                          • Opcode ID: 4b26bd862343d27d7638b805a9f293178c54780bc617303309d6c90ba4a521c1
                                                                          • Instruction ID: 9092e96f41ffb6c87e25a89ec83ed072aadbda5279e846851dfdc6ee6aaf702c
                                                                          • Opcode Fuzzy Hash: 4b26bd862343d27d7638b805a9f293178c54780bc617303309d6c90ba4a521c1
                                                                          • Instruction Fuzzy Hash: 71F05476561616FB8F116FA4CC4995E3F69EB097727050425FC04DF620D739C914DBB0
                                                                          Function 6BD864AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD864E3
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6BD864CC
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD864D5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
                                                                          • API String ID: 1102202064-1757063745
                                                                          • Opcode ID: a17e66ea7486d4d443398f2119a3b97309a9a42c457b7af18d350f01e8879220
                                                                          • Instruction ID: 0eeb7892d9d512b5499f451ec662390d6c294af61b5b0c927d45717bed01ae84
                                                                          • Opcode Fuzzy Hash: a17e66ea7486d4d443398f2119a3b97309a9a42c457b7af18d350f01e8879220
                                                                          • Instruction Fuzzy Hash: 8EF0B476424216EB8F215F68CC08A5F3F69AB06B717014860FD05DA224EB39C8009BB0
                                                                          Function 6BD863EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD86425
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6BD8640E
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD86417
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmSetIconicThumbnail$dwmapi.dll
                                                                          • API String ID: 1102202064-2331651847
                                                                          • Opcode ID: e89d2a832af87ada3c94396eeb497caf3524883cb046b9ab214485e98f013ee9
                                                                          • Instruction ID: 6401a9c77673532cd5d33a489bf3b2d8de4a0563223d11ef819fd556c8b0cffc
                                                                          • Opcode Fuzzy Hash: e89d2a832af87ada3c94396eeb497caf3524883cb046b9ab214485e98f013ee9
                                                                          • Instruction Fuzzy Hash: CFF08975925617A78F211F6C8C49D4D3F69EB067B13014421FC09DF220DB79C8048BB0
                                                                          Function 6BD86328 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000,?,?,6BD7ECCE,6BF3825C,0000002C), ref: 6BD86361
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6BD8634A
                                                                          • EncodePointer.KERNEL32(00000000,?,?,6BD7ECCE,6BF3825C,0000002C), ref: 6BD86353
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmIsCompositionEnabled$dwmapi.dll
                                                                          • API String ID: 1102202064-1198327662
                                                                          • Opcode ID: bbcbe3c5046b1a1a84cc2521fd6b725b2306900bb7c606e2250b8a4936abd022
                                                                          • Instruction ID: 574b7818ebc762eedbce99fd1adb2333b7ff5cc7beb55924393951b56826dc95
                                                                          • Opcode Fuzzy Hash: bbcbe3c5046b1a1a84cc2521fd6b725b2306900bb7c606e2250b8a4936abd022
                                                                          • Instruction Fuzzy Hash: C6F08976535A15ABCB516B74C805B5E3B68EB067727050461FD00DF210EB7DC800CBF0
                                                                          Function 6BD8644E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DecodePointer.KERNEL32(00000000), ref: 6BD86487
                                                                            • Part of subcall function 6BD6A504: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BD6A52A
                                                                            • Part of subcall function 6BD6A504: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6BD6A53A
                                                                            • Part of subcall function 6BD6A504: EncodePointer.KERNEL32(00000000), ref: 6BD6A543
                                                                          • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6BD86470
                                                                          • EncodePointer.KERNEL32(00000000), ref: 6BD86479
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                                                          • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
                                                                          • API String ID: 1102202064-1901905683
                                                                          • Opcode ID: aac77eedc237ede74f1b17bf25fe1a5c0513807d8c92f117823739fc64bfbbe9
                                                                          • Instruction ID: 1daf7abc558402ef654ef3a6e59c1679a60ee56675523d40d783021872415933
                                                                          • Opcode Fuzzy Hash: aac77eedc237ede74f1b17bf25fe1a5c0513807d8c92f117823739fc64bfbbe9
                                                                          • Instruction Fuzzy Hash: 2EF08275925626AB8F212B6D8809A1E3A589B467B23418421FC08DB220EB3CC8009AB0
                                                                          Function 6BD9A8F7 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD9A8FE
                                                                          • IsWindow.USER32(00000000), ref: 6BD9A912
                                                                          • GetClientRect.USER32(00000000,00000000), ref: 6BD9A967
                                                                          • GetCursorPos.USER32(?), ref: 6BD9AB30
                                                                          • ScreenToClient.USER32(00000000,?), ref: 6BD9AB3D
                                                                            • Part of subcall function 6BD95491: __EH_prolog3_GS.LIBCMT ref: 6BD9549B
                                                                            • Part of subcall function 6BD95491: GetClientRect.USER32(00000000,00000000), ref: 6BD954F5
                                                                            • Part of subcall function 6BD932CB: __EH_prolog3_GS.LIBCMT ref: 6BD932D5
                                                                            • Part of subcall function 6BD932CB: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6BD93300
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
                                                                          • String ID:
                                                                          • API String ID: 3214297127-0
                                                                          • Opcode ID: f9e63c268a2f14882da8acdb3e1239d807e8e2242ce5ab217879029722757340
                                                                          • Instruction ID: 27d3874fe9eeb8cbc52c4e118225b26f4a0b27b03fba0286c299b9426a6c7941
                                                                          • Opcode Fuzzy Hash: f9e63c268a2f14882da8acdb3e1239d807e8e2242ce5ab217879029722757340
                                                                          • Instruction Fuzzy Hash: BF916072D00618DFCF14EFA4C985ADDBBB5BF49324F1540AAE805AF255DB38AA05CF60
                                                                          Function 6BD9D8C7 Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9D8EF
                                                                            • Part of subcall function 6BD63B11: ClientToScreen.USER32(?,6BD9D900), ref: 6BD63B20
                                                                            • Part of subcall function 6BD63B11: ClientToScreen.USER32(?,6BD9D908), ref: 6BD63B2D
                                                                          • PtInRect.USER32(?,00000000,?), ref: 6BD9D909
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9D982
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRect$Screen
                                                                          • String ID:
                                                                          • API String ID: 3187875807-0
                                                                          • Opcode ID: 44ce622e1489d6857f4c3cf7d2330d650afd801edc0692d8fa04d1c95f00dd9a
                                                                          • Instruction ID: 03cdcd19f4e62c805f32ee3a06ead44de06250872627352ab06f4d184cae5d52
                                                                          • Opcode Fuzzy Hash: 44ce622e1489d6857f4c3cf7d2330d650afd801edc0692d8fa04d1c95f00dd9a
                                                                          • Instruction Fuzzy Hash: 11414A72A4010AEFCF00EFB8DA84A9EB7B5EF0A754F10456AE945FF114D634EA44DB60
                                                                          Function 6BD80E5F Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD80E66
                                                                            • Part of subcall function 6BD63A38: __EH_prolog3.LIBCMT ref: 6BD63A3F
                                                                            • Part of subcall function 6BD63A38: GetWindowDC.USER32(00000000,00000004,6BD7DFDA,00000000), ref: 6BD63A6B
                                                                            • Part of subcall function 6BD6322D: SetMapMode.GDI32(?,?), ref: 6BD63241
                                                                            • Part of subcall function 6BD6322D: SetMapMode.GDI32(?,?), ref: 6BD63253
                                                                          • LPtoDP.GDI32(?,?,00000001), ref: 6BD80ECA
                                                                          • LPtoDP.GDI32(?,?,00000001), ref: 6BD80EE9
                                                                          • LPtoDP.GDI32(?,?,00000001), ref: 6BD80F08
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 6BD80FCC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3Mode$InvalidateRectWindow
                                                                          • String ID:
                                                                          • API String ID: 1124340077-0
                                                                          • Opcode ID: 10330a00c8efdc9bbf3c7b6d293e22200240abd0e27ce5f765b1944bc34d1a60
                                                                          • Instruction ID: 15a8edba63647a6eb60e04c4542ab8b6e289be61da9375a60759596aa3d7ebe7
                                                                          • Opcode Fuzzy Hash: 10330a00c8efdc9bbf3c7b6d293e22200240abd0e27ce5f765b1944bc34d1a60
                                                                          • Instruction Fuzzy Hash: 0B41F675A01705DFDB24CF78C481B9AB7F1BF49361F00886DE9AADB290D774A904CB61
                                                                          Function 6BDA5AE9 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDA5B16
                                                                          • GetSystemMetrics.USER32(00000021), ref: 6BDA5B1E
                                                                          • GetSystemMetrics.USER32(00000020), ref: 6BDA5B28
                                                                          • GetKeyState.USER32(00000002), ref: 6BDA5B4C
                                                                          • InflateRect.USER32(?,?,00000000), ref: 6BDA5B85
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsRectSystemWindow$InflateLongState
                                                                          • String ID:
                                                                          • API String ID: 2406722796-0
                                                                          • Opcode ID: c3a71d8fd53331fdb6eba3ff06e40429b8875df064e553d1e3e034b08b32acc4
                                                                          • Instruction ID: 9fc108cfe131972f797304f4e82a4ec6f4194528de441d0f0ee9bb310ca7cbd3
                                                                          • Opcode Fuzzy Hash: c3a71d8fd53331fdb6eba3ff06e40429b8875df064e553d1e3e034b08b32acc4
                                                                          • Instruction Fuzzy Hash: 5931C132A00209DBDF109B78C89ABBEB764FB45725F518565EA51DF1D0D778CA808B90
                                                                          Function 6BD66907 Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(00000000), ref: 6BD6691C
                                                                          • GetKeyState.USER32(00000011), ref: 6BD66924
                                                                          • ScreenToClient.USER32(?,00000000), ref: 6BD669BC
                                                                          • ClientToScreen.USER32(?,00000000), ref: 6BD66A09
                                                                          • SetCursorPos.USER32(00000000,00000000), ref: 6BD66A15
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientCursorScreen$State
                                                                          • String ID:
                                                                          • API String ID: 3982492586-0
                                                                          • Opcode ID: 8dd8f3fdd54352d6bc367fb66132c04c138378518c906c7c3898bc084a1947ec
                                                                          • Instruction ID: 0a0c14def4c17d6ee8e576e5a471a1236cf775aac17d143b5d0034d43901e5aa
                                                                          • Opcode Fuzzy Hash: 8dd8f3fdd54352d6bc367fb66132c04c138378518c906c7c3898bc084a1947ec
                                                                          • Instruction Fuzzy Hash: 5B31E572A40505EBCB08CFB8C955BEDFBB5FB467A0F10426BE852EA190E7349A40DB50
                                                                          Function 6BD98793 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientCursorScreen$Rect
                                                                          • String ID:
                                                                          • API String ID: 1082406499-0
                                                                          • Opcode ID: ee6019b76cc984dafd6afb4519cc3ff1edaefabb1ed1c50c4bffe727c9ba95b9
                                                                          • Instruction ID: 65af55731c5d89f482251eb74bd7a179cc983f121bc380d43dd04a264f774612
                                                                          • Opcode Fuzzy Hash: ee6019b76cc984dafd6afb4519cc3ff1edaefabb1ed1c50c4bffe727c9ba95b9
                                                                          • Instruction Fuzzy Hash: 4F31B131E1020ADFCF09EFB0D984AAEB7B5FF49754F10017AD411AB250DB39A945DBA0
                                                                          Function 6BD6222F Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD61CA1: GetParent.USER32(?), ref: 6BD61CA4
                                                                            • Part of subcall function 6BD61CA1: GetParent.USER32(00000000), ref: 6BD61CAB
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 6BD6228F
                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 6BD622E3
                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 6BD622F2
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 6BD62308
                                                                          • GetClientRect.USER32(?,?), ref: 6BD6231C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$LongParent$ClientRectRedraw
                                                                          • String ID:
                                                                          • API String ID: 556606033-0
                                                                          • Opcode ID: f369461db783360c393924da8e404713bb0a69465b2e270c53d92dadaf2bda6d
                                                                          • Instruction ID: 1711510aad0abb7cbeef1a3c03cb52e6eb9b063584108528db48902158d1f055
                                                                          • Opcode Fuzzy Hash: f369461db783360c393924da8e404713bb0a69465b2e270c53d92dadaf2bda6d
                                                                          • Instruction Fuzzy Hash: 0A21F432710615EBEF029BB48C91BAEB678FF093F8F000574E911EE1A0EB68DD109790
                                                                          Function 6BD61F2D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                            • Part of subcall function 6BD61CA1: GetParent.USER32(?), ref: 6BD61CA4
                                                                            • Part of subcall function 6BD61CA1: GetParent.USER32(00000000), ref: 6BD61CAB
                                                                          • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6BD61FA1
                                                                          • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6BD61FCA
                                                                          • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6BD61FE9
                                                                          • SendMessageW.USER32(?,00000222,?,00000000), ref: 6BD62003
                                                                          • SendMessageW.USER32(?,00000222,00000000,?), ref: 6BD6202C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Parent$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 4191550487-0
                                                                          • Opcode ID: 81b795a69b78947a1705317c0d3829f3f91ac0e7e00708dc2cf612e338601020
                                                                          • Instruction ID: b2851b69d690394f1e3f3e7de5402e330166631cc0e1854abe93d45bdb7fead0
                                                                          • Opcode Fuzzy Hash: 81b795a69b78947a1705317c0d3829f3f91ac0e7e00708dc2cf612e338601020
                                                                          • Instruction Fuzzy Hash: 8321E531650614FFEB119B70CC8AFAE7779FB093E8F400525F1819E1A0EB79DE109660
                                                                          Function 6BD9C919 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BD9C962
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9C98E
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C9A6
                                                                          • MapWindowPoints.USER32(?,?,?,00000001), ref: 6BD9C9CF
                                                                          • SendMessageW.USER32(?,00000200,?,?), ref: 6BD9C9EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClientCursorMessagePointsSendWindow
                                                                          • String ID:
                                                                          • API String ID: 1257894355-0
                                                                          • Opcode ID: d15f3187d70bb82e9c3e11aed53424e2726fe0efacb8953c2f9b47a746833fee
                                                                          • Instruction ID: 85ffd52ba2fae47708b0928c2fb2f8304ea1c3049d4c5e7a781a08fc0667b0f8
                                                                          • Opcode Fuzzy Hash: d15f3187d70bb82e9c3e11aed53424e2726fe0efacb8953c2f9b47a746833fee
                                                                          • Instruction Fuzzy Hash: 6B31D67190034AEFCF14DF64C8419BEBBB5FF05364F10462AF8259A160E734E950DBA4
                                                                          Function 6BD9E230 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD9E27C
                                                                            • Part of subcall function 6BD7B6AC: GetWindowLongW.USER32(?,000000EC), ref: 6BD7B6B9
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 6BD9E2D8
                                                                          • UnionRect.USER32(?,?,?), ref: 6BD9E2F1
                                                                          • EqualRect.USER32(?,?), ref: 6BD9E2FF
                                                                          • UpdateWindow.USER32(?), ref: 6BD9E336
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Window$EqualLongOffsetUnionUpdate
                                                                          • String ID:
                                                                          • API String ID: 4261707372-0
                                                                          • Opcode ID: dbef93c3ce9cb6ac8748d56ed57315b207ae74a9ef687fc8b54cd4933c6b2953
                                                                          • Instruction ID: 7a96bfe4333a914ddbae84aa586d30b1d61646d76e98603f5351779d27bb9291
                                                                          • Opcode Fuzzy Hash: dbef93c3ce9cb6ac8748d56ed57315b207ae74a9ef687fc8b54cd4933c6b2953
                                                                          • Instruction Fuzzy Hash: C3318071A1060AEBCB04DF74C945BDEF7B9FF09314F504226E415EA2A1DB34AA94CFA0
                                                                          Function 6BE11B61 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6BE11B99
                                                                            • Part of subcall function 6BD7BA97: EnableWindow.USER32(?,?), ref: 6BD7BAA8
                                                                          • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6BE11BD6
                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6BE11BED
                                                                          • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6BE11C06
                                                                            • Part of subcall function 6BE12B5C: GetWindowRect.USER32(?,?), ref: 6BE12B89
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6BE11C47
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$EnableRect
                                                                          • String ID:
                                                                          • API String ID: 3648841934-0
                                                                          • Opcode ID: 98ad1efec85b459c119d2fa45f90e51121e6ceae67f30de977af5a00ad1edb62
                                                                          • Instruction ID: 1bbc65d4e031c0a8f8e2f7fbeff4e33757bc4003304e658127bb1ca28b2676c7
                                                                          • Opcode Fuzzy Hash: 98ad1efec85b459c119d2fa45f90e51121e6ceae67f30de977af5a00ad1edb62
                                                                          • Instruction Fuzzy Hash: E421B270214B44AFD7209F76CC85EA777A9FB82799F20083EF55AC6150DA35AC51CB21
                                                                          Function 6BD988CC Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD9630C: __EH_prolog3_GS.LIBCMT ref: 6BD96313
                                                                            • Part of subcall function 6BD9630C: GetWindowRect.USER32(00000000,00000000), ref: 6BD9635C
                                                                            • Part of subcall function 6BD9630C: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6BD96386
                                                                            • Part of subcall function 6BD9630C: SetWindowRgn.USER32(00000000,?,00000000), ref: 6BD9639C
                                                                          • GetSystemMenu.USER32(?,00000000), ref: 6BD98956
                                                                          • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6BD98973
                                                                          • DeleteMenu.USER32(?,0000F020,00000000), ref: 6BD98982
                                                                          • DeleteMenu.USER32(?,0000F030,00000000), ref: 6BD98991
                                                                          • EnableMenuItem.USER32(?,0000F060,00000001), ref: 6BD989B9
                                                                            • Part of subcall function 6BD970F0: SetRectEmpty.USER32(?), ref: 6BD9711B
                                                                            • Part of subcall function 6BD970F0: ReleaseCapture.USER32 ref: 6BD97121
                                                                            • Part of subcall function 6BD970F0: SetCapture.USER32(?,?,?,?,6BD8F092,?), ref: 6BD97134
                                                                            • Part of subcall function 6BD970F0: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6BD97234
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
                                                                          • String ID:
                                                                          • API String ID: 4022425685-0
                                                                          • Opcode ID: 174b5d51ec2f2f9c3da0385ef0cd77e65888203ad9b0f753aeb1765ebb15d043
                                                                          • Instruction ID: 91bc9aea28f3613058fdf6c61f73768bbe3190f61e60ae1975fef2b317763c28
                                                                          • Opcode Fuzzy Hash: 174b5d51ec2f2f9c3da0385ef0cd77e65888203ad9b0f753aeb1765ebb15d043
                                                                          • Instruction Fuzzy Hash: 6E21D131610215EBDF226F60889AA6D7F26FF496A0B040075F9058F261CB39C910DAA1
                                                                          Function 03AE4037 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 03AE404B
                                                                            • Part of subcall function 03AE13F7: HeapFree.KERNEL32(?,00000000,?,?,?,03AE4088,?,00000000,03AE4010,?,10015054,03AE361F), ref: 03AE1414
                                                                          • HeapDestroy.KERNEL32(?,?,00000000,03AE4010,?,10015054,03AE361F), ref: 03AE4090
                                                                          • HeapCreate.KERNEL32(?,?,?,?,00000000,03AE4010,?,10015054,03AE361F), ref: 03AE40AB
                                                                          • SetEvent.KERNEL32(?,?,00000000,03AE4010,?,10015054,03AE361F), ref: 03AE4127
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 03AE412E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CriticalSection$CreateDestroyEnterEventFreeLeave
                                                                          • String ID:
                                                                          • API String ID: 563679510-0
                                                                          • Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                          • Instruction ID: ae1990065d4a9a2c805c8b7deca0d5189b8c16ae61319239025d506f1cd4d2d8
                                                                          • Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                          • Instruction Fuzzy Hash: 4F311274600A12EFD749DB79C888B96F7A8FF4C311F14825AE5298B660CB35A815CBD0
                                                                          Function 6BD68A56 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 6BD68AA5
                                                                          • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6BD68AB9
                                                                          • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6BD68ACC
                                                                          • SetWindowLongW.USER32(?,000000F0,?), ref: 6BD68B03
                                                                          • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6BD68B18
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Long
                                                                          • String ID:
                                                                          • API String ID: 3430364388-0
                                                                          • Opcode ID: 1bed713a273d1f07a11938cbce47bfa290c147d09171236f7f463041fa943fef
                                                                          • Instruction ID: 005be910ad4fbad87cdb38bccaf3da75c9330683596d6279e43b7e7b648dcf80
                                                                          • Opcode Fuzzy Hash: 1bed713a273d1f07a11938cbce47bfa290c147d09171236f7f463041fa943fef
                                                                          • Instruction Fuzzy Hash: E021B371210B04EBEB108F68CC95B2B77A9FB46764F01823EE545DA2A0EB75DD04CB14
                                                                          Function 6BD739FC Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6BD73A5B
                                                                          • SendMessageW.USER32(?,00000086,00000000,00000000), ref: 6BD73A74
                                                                          • GetDesktopWindow.USER32 ref: 6BD73A7C
                                                                          • SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 6BD73A9C
                                                                          • GetWindow.USER32(00000000), ref: 6BD73AA5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$DesktopLong
                                                                          • String ID:
                                                                          • API String ID: 2272707703-0
                                                                          • Opcode ID: c4dcb2a950b2ef645eeb7648f13b3b00f1a6d2829b9c9550b702c81437d4a644
                                                                          • Instruction ID: 2b6746bbc106861f328448722d272a72741637ff924b199a23b5389660e7ab2c
                                                                          • Opcode Fuzzy Hash: c4dcb2a950b2ef645eeb7648f13b3b00f1a6d2829b9c9550b702c81437d4a644
                                                                          • Instruction Fuzzy Hash: 1A11D332210B15BBEB326735C857BEA7A69BB417B4F010134FA515D1A0DB69CD1287A8
                                                                          Function 6BD65E6E Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(6BF38410,?,?,0000007C,?,6BD6F318,00000001), ref: 6BD82F91
                                                                            • Part of subcall function 6BD82F60: InitializeCriticalSection.KERNEL32(00000000,?,6BD6F318,00000001), ref: 6BD82FA7
                                                                            • Part of subcall function 6BD82F60: LeaveCriticalSection.KERNEL32(6BF38410,?,6BD6F318,00000001), ref: 6BD82FB5
                                                                            • Part of subcall function 6BD82F60: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6BD6F318,00000001), ref: 6BD82FC2
                                                                          • SetCursor.USER32(00000009), ref: 6BD65EB8
                                                                          • LoadCursorW.USER32(?,00007905), ref: 6BD65EFD
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 6BD65F13
                                                                          • SetCursor.USER32(?,?,00000009), ref: 6BD65F2C
                                                                          • DestroyCursor.USER32(00000000), ref: 6BD65F37
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
                                                                          • String ID:
                                                                          • API String ID: 900973665-0
                                                                          • Opcode ID: b9e4eae271cb1cd43cc5048ae685f48fb43f4288981b7d8a5778009670e4bc8f
                                                                          • Instruction ID: 052a43248eca34fe662cb7545cb5bdc94ccbd5d33a4da61ff7c275063e3d71e4
                                                                          • Opcode Fuzzy Hash: b9e4eae271cb1cd43cc5048ae685f48fb43f4288981b7d8a5778009670e4bc8f
                                                                          • Instruction Fuzzy Hash: 6911667191920A9BDF209B64C485B0A7755B7027B8F120475F628CF563E73CD8C497A1
                                                                          Function 6BD68891 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 6BD688E0
                                                                          • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6BD688F4
                                                                          • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6BD68907
                                                                          • SetWindowLongW.USER32(?,000000F0,?), ref: 6BD68926
                                                                          • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6BD6893C
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Long
                                                                          • String ID:
                                                                          • API String ID: 3430364388-0
                                                                          • Opcode ID: fc4f99b58b64e97cbed6aa5704f46ec81f476d2e79943c5c42f6c07f43320b28
                                                                          • Instruction ID: d3dbd09c425af7abd51d71fb5e876447ae1b9e868ce5e681b05625b4b7f28863
                                                                          • Opcode Fuzzy Hash: fc4f99b58b64e97cbed6aa5704f46ec81f476d2e79943c5c42f6c07f43320b28
                                                                          • Instruction Fuzzy Hash: 9411D671620744FBDB105B75CC05F1BBABAFB86764F00422EE2419A2E0EBB5DD04CB24
                                                                          Function 6BD7A523 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6BD7A547
                                                                          • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6BD7A567
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 6BD7A598
                                                                            • Part of subcall function 6BD7A8ED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A992
                                                                            • Part of subcall function 6BD7A8ED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A9A1
                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6BD7A58F
                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6BD7A5B3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Close$DeleteValue$PrivateProfileStringWrite
                                                                          • String ID:
                                                                          • API String ID: 222425065-0
                                                                          • Opcode ID: 5a04e12a4542cca3e2c4df14ae24430b783aecff3d4dd996cdda94914c08b9e7
                                                                          • Instruction ID: f5d6e1f144b3d5dc3fd62848acbfdaf735b7492e5485d633df6f32591fb1e27d
                                                                          • Opcode Fuzzy Hash: 5a04e12a4542cca3e2c4df14ae24430b783aecff3d4dd996cdda94914c08b9e7
                                                                          • Instruction Fuzzy Hash: 0A119E33815616FBCB222B648C05EDF3F2AAF8AB70B024474F914AE110DB39C9119BA0
                                                                          Function 6BD9BB38 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnableMenuItem.USER32(?,00004212,00000001), ref: 6BD9BB6A
                                                                          • EnableMenuItem.USER32(?,00004213,00000000), ref: 6BD9BB7B
                                                                          • EnableMenuItem.USER32(?,00004214,00000000), ref: 6BD9BBAA
                                                                          • CheckMenuItem.USER32(?,00004213,00000008), ref: 6BD9BBD0
                                                                          • CheckMenuItem.USER32(?,00004214,00000000), ref: 6BD9BBDC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Enable$Check
                                                                          • String ID:
                                                                          • API String ID: 1852492618-0
                                                                          • Opcode ID: 76b7c39a0e809e7fc7babdeac7d4317fba79dc44ce3e9052d250af0b11b88d6d
                                                                          • Instruction ID: 04bd9636660c12c4689fe564b16593e74d6558a63da8b2657e6fc3235107b057
                                                                          • Opcode Fuzzy Hash: 76b7c39a0e809e7fc7babdeac7d4317fba79dc44ce3e9052d250af0b11b88d6d
                                                                          • Instruction Fuzzy Hash: 2A118E70250605EFEB11AF21DE86F12BBA9FB06768F814825F20AD94E0D734EC108BA0
                                                                          Function 6BD75B52 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6BD75BC7
                                                                          • GlobalAddAtomW.KERNEL32(?), ref: 6BD75BD4
                                                                          • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6BD75BEE
                                                                          • GlobalAddAtomW.KERNEL32(?), ref: 6BD75BFB
                                                                          • SendMessageW.USER32(00000000,000003E4,00000000,?), ref: 6BD75C20
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AtomGlobal$Name$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 1515195355-0
                                                                          • Opcode ID: e525d5a6bbe5c5f54214b10b95b6bc32e8d1d51f1eb4f45ca4d4be872cf723bf
                                                                          • Instruction ID: f9e50108498456bc9575ec8b6ba9bc5d940722be1bc22b556d30ef6171e42edd
                                                                          • Opcode Fuzzy Hash: e525d5a6bbe5c5f54214b10b95b6bc32e8d1d51f1eb4f45ca4d4be872cf723bf
                                                                          • Instruction Fuzzy Hash: 5121E775600318EBDB20AF74C849BFA73F8FB05724F00896AF9598B041D778D984CB61
                                                                          Function 6BD9630C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD96313
                                                                          • GetWindowRect.USER32(00000000,00000000), ref: 6BD9635C
                                                                          • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6BD96386
                                                                          • SetWindowRgn.USER32(00000000,?,00000000), ref: 6BD9639C
                                                                          • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6BD963B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rect$CreateH_prolog3_Round
                                                                          • String ID:
                                                                          • API String ID: 2502471913-0
                                                                          • Opcode ID: a5f3efffb1971a759cb3660628d03d0b2248ddb6d850f5a7d00eceaf0b081252
                                                                          • Instruction ID: d4bdc349d76b367428b10f57f787382a6481826ad7347a469a9797960aa62ddf
                                                                          • Opcode Fuzzy Hash: a5f3efffb1971a759cb3660628d03d0b2248ddb6d850f5a7d00eceaf0b081252
                                                                          • Instruction Fuzzy Hash: 06116A71A10609EFDF05EFB4C985AEDBB79FF08368F140129E501AA260DB389D41DBA0
                                                                          Function 03AF367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __CreateFrameInfo.LIBCMT ref: 03AF36A2
                                                                            • Part of subcall function 03AF3232: __getptd.LIBCMT ref: 03AF3240
                                                                            • Part of subcall function 03AF3232: __getptd.LIBCMT ref: 03AF324E
                                                                          • __getptd.LIBCMT ref: 03AF36AC
                                                                            • Part of subcall function 03AE98E6: __getptd_noexit.LIBCMT ref: 03AE98E9
                                                                            • Part of subcall function 03AE98E6: __amsg_exit.LIBCMT ref: 03AE98F6
                                                                          • __getptd.LIBCMT ref: 03AF36BA
                                                                          • __getptd.LIBCMT ref: 03AF36C8
                                                                          • __getptd.LIBCMT ref: 03AF36D3
                                                                            • Part of subcall function 03AF32D7: __CallSettingFrame@12.LIBCMT ref: 03AF3323
                                                                            • Part of subcall function 03AF37A0: __getptd.LIBCMT ref: 03AF37AF
                                                                            • Part of subcall function 03AF37A0: __getptd.LIBCMT ref: 03AF37BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 3282538202-0
                                                                          • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                          • Instruction ID: 7efc756fcdfe04f4ff520a32b681fbe160dca33134dd933dd68418d3a1ccb28b
                                                                          • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                          • Instruction Fuzzy Hash: FB11AAB9D04309DFDF00EFA5DA45AAE77B0FF04314F1085AAE914AB350DB389A559F50
                                                                          Function 6BDA2ACA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BDA2ADF
                                                                          • ScreenToClient.USER32(?,?), ref: 6BDA2AEC
                                                                          • PtInRect.USER32(?,?,?), ref: 6BDA2AFF
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 6BDA2B21
                                                                          • SetCursor.USER32(?), ref: 6BDA2B3F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$ClientLoadRectScreen
                                                                          • String ID:
                                                                          • API String ID: 2747913190-0
                                                                          • Opcode ID: 49e93de5c18d3ff2e562a6deedd9a443b05faa7247120fafb3b391818288e15f
                                                                          • Instruction ID: 09335e04165fd62285315120b1494cde3117267a25fa4f4ca80ae0ee56e52944
                                                                          • Opcode Fuzzy Hash: 49e93de5c18d3ff2e562a6deedd9a443b05faa7247120fafb3b391818288e15f
                                                                          • Instruction Fuzzy Hash: 93015E75840109EFDF119F72CC4AEAE7BB8EF453A4F0144B9E505DA020EB749A41EB60
                                                                          Function 6BD73FB1 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6BD73FD6
                                                                          • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6BD73FE6
                                                                          • GetCapture.USER32 ref: 6BD73FEC
                                                                          • ReleaseCapture.USER32 ref: 6BD73FF8
                                                                          • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6BD7401F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Message$CapturePost$PeekRelease
                                                                          • String ID:
                                                                          • API String ID: 1125932295-0
                                                                          • Opcode ID: 14435b3472fb654342ba0e9d6bfc393792cc55d17a7adeebc4037c91bcc13a0e
                                                                          • Instruction ID: 20ec9a4cd3beae226efa6d7668dab16c0f805456bc84b7dd239a01abcb1b48b8
                                                                          • Opcode Fuzzy Hash: 14435b3472fb654342ba0e9d6bfc393792cc55d17a7adeebc4037c91bcc13a0e
                                                                          • Instruction Fuzzy Hash: 78018F31500600AFEB212B31CC4AE977BBCFB89765F00087DF54689161EB34DC05CA60
                                                                          Function 6BD7C18A Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7C191
                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6BD7C19C
                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD7C20A
                                                                            • Part of subcall function 6BD7C093: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6BD7C0AB
                                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 6BD7C1B7
                                                                          • _Yarn.LIBCPMT ref: 6BD7C1CD
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                          • String ID:
                                                                          • API String ID: 1088826258-0
                                                                          • Opcode ID: 26b7f402af85f2265bbcbee860eb4310670a1da79b5001a3cfdfcbcbb8330e93
                                                                          • Instruction ID: 1f2ff4cea52d7127f5ba1abf330cd31da1948b808dd3e6627ab1907c309b0d58
                                                                          • Opcode Fuzzy Hash: 26b7f402af85f2265bbcbee860eb4310670a1da79b5001a3cfdfcbcbb8330e93
                                                                          • Instruction Fuzzy Hash: A5019A72A14555DFCB26BB70C851BBC7B62BB852A4B180028D8115B390CF78AE46CBE1
                                                                          Function 6BD6466F Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(?), ref: 6BD6467A
                                                                            • Part of subcall function 6BD80491: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6BD804D8
                                                                            • Part of subcall function 6BD80491: CreatePatternBrush.GDI32(00000000), ref: 6BD804E5
                                                                            • Part of subcall function 6BD80491: DeleteObject.GDI32(00000000), ref: 6BD804F1
                                                                          • SelectObject.GDI32(?,?), ref: 6BD64699
                                                                          • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6BD646BE
                                                                          • SelectObject.GDI32(?,00000000), ref: 6BD646CC
                                                                          • ReleaseDC.USER32(?,?), ref: 6BD646D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
                                                                          • String ID:
                                                                          • API String ID: 2474928807-0
                                                                          • Opcode ID: 83d7ebe89bb1a4c3810b53ecd59175615b5087a9c434219159a9a09fdfea4a33
                                                                          • Instruction ID: b052b14ff52170884ee03baa4669f3a5e8e1f18a0969266448411325555c5331
                                                                          • Opcode Fuzzy Hash: 83d7ebe89bb1a4c3810b53ecd59175615b5087a9c434219159a9a09fdfea4a33
                                                                          • Instruction Fuzzy Hash: DB015632110200AFCB018FB9CE49D56BFA9FB4A7543118568F619CA131CB33D821DB60
                                                                          Function 03AE97B9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(10015EB4,10017C00,00000008,03AE98C1,00000000,00000000,?,0000FFFF,03AE70E9,03AEBB26), ref: 03AE97CA
                                                                          • __lock.LIBCMT ref: 03AE97FE
                                                                            • Part of subcall function 03AEC11B: __amsg_exit.LIBCMT ref: 03AEC13D
                                                                            • Part of subcall function 03AEC11B: RtlEnterCriticalSection.NTDLL(00000001), ref: 03AEC145
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 03AE980B
                                                                          • __lock.LIBCMT ref: 03AE981F
                                                                          • ___addlocaleref.LIBCMT ref: 03AE983D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit
                                                                          • String ID:
                                                                          • API String ID: 3732598078-0
                                                                          • Opcode ID: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                          • Instruction ID: f5ffb919b3973678eba7a24f2c8eb84cccf202f735df9565ba78f6c22c6cdae3
                                                                          • Opcode Fuzzy Hash: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                          • Instruction Fuzzy Hash: 13018079800B00EFE721EF65C94474ABBE0EF44321F14890ED5965F3A0CBB8E685CB11
                                                                          Function 03AE2CE7 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03AE2D13
                                                                          • CancelIo.KERNEL32(?), ref: 03AE2D1D
                                                                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 03AE2D26
                                                                          • closesocket.WS2_32(?), ref: 03AE2D30
                                                                          • SetEvent.KERNEL32(00000001), ref: 03AE2D3A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                          • String ID:
                                                                          • API String ID: 1486965892-0
                                                                          • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                          • Instruction ID: 122343c2c6e11ab2984ca08b391d6f07d61419f6dbb3754eef2d5dc312d7f355
                                                                          • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                          • Instruction Fuzzy Hash: 84F04F76100710EFE320DB94CC89F5677B8FB49B12F148A5DF6829B690C6B1F504CBA0
                                                                          Function 03AEE116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 03AEE122
                                                                            • Part of subcall function 03AE98E6: __getptd_noexit.LIBCMT ref: 03AE98E9
                                                                            • Part of subcall function 03AE98E6: __amsg_exit.LIBCMT ref: 03AE98F6
                                                                          • __getptd.LIBCMT ref: 03AEE139
                                                                          • __amsg_exit.LIBCMT ref: 03AEE147
                                                                          • __lock.LIBCMT ref: 03AEE157
                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 03AEE16B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                          • String ID:
                                                                          • API String ID: 938513278-0
                                                                          • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                          • Instruction ID: abe2710bcbfe5c5d8db768b9e8c06b4971d88197983428b42648a237370f6890
                                                                          • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                          • Instruction Fuzzy Hash: 22F05E3EA44B209BEB25FBB49A01F5EB2F0AF04720F18424FD5546F3D1CB389580DA5A
                                                                          Function 6BD3E510 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 487COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: _strcspn
                                                                          • String ID: .$@
                                                                          • API String ID: 3709121408-1252397774
                                                                          • Opcode ID: d1af84f5643602285afa25048733dab4cc097c0b865333d340462ade7c276e0f
                                                                          • Instruction ID: 2d34b79f83108f4eec35de2b7091e0bbdeb55d9893ea61788d79bda5b14defed
                                                                          • Opcode Fuzzy Hash: d1af84f5643602285afa25048733dab4cc097c0b865333d340462ade7c276e0f
                                                                          • Instruction Fuzzy Hash: C6320774D14668CFCB15CF28C991ADDBBB1AF4A310F0581DAD849AB352DB789E80CF61
                                                                          Function 6BD907A2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD907A9
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                            • Part of subcall function 6BD7B793: GetDlgCtrlID.USER32(?), ref: 6BD7B79E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3$Ctrl
                                                                          • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                                                                          • API String ID: 3879667756-2016111687
                                                                          • Opcode ID: e9f73c3ff739e0437a569e3d7bc680359909853f5fc39d0a3ab658c59ff15d6b
                                                                          • Instruction ID: 4ba179dc6e5c7d69d049450f1741e8382423defefdd048c6ffdc3268a2d2835c
                                                                          • Opcode Fuzzy Hash: e9f73c3ff739e0437a569e3d7bc680359909853f5fc39d0a3ab658c59ff15d6b
                                                                          • Instruction Fuzzy Hash: 0721A271E00219DBCF04EFB4C891AFEB735BF44328F104968D8116B291DB789A05CBB1
                                                                          Function 6BD9CA17 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CursorH_prolog3
                                                                          • String ID: Control Panel\Desktop$MenuShowDelay
                                                                          • API String ID: 634316419-702829638
                                                                          • Opcode ID: b24f26a769e0b2f14e0219348e14c86da12a4c053b793427017e7ed43ef67875
                                                                          • Instruction ID: 128d3da8a69fd6eb0647bbb421309d86b7eea3fa47b235e650e6fe6ae00285cb
                                                                          • Opcode Fuzzy Hash: b24f26a769e0b2f14e0219348e14c86da12a4c053b793427017e7ed43ef67875
                                                                          • Instruction Fuzzy Hash: 0621A131A20205CBCF08EBB4D895ABD7761BF49324F140469D921DF290DB39EA05CBA0
                                                                          Function 6BD90880 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD90887
                                                                            • Part of subcall function 6BDDDE20: __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3
                                                                          • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
                                                                          • API String ID: 431132790-953485693
                                                                          • Opcode ID: d2142b08fbdaadab409b578960f5bed0ef27a318faa7fb70877fb601efd4c7f7
                                                                          • Instruction ID: 5d1ff10f89fd5960ae4d5b9a0c6ff4ca5cb312cacb7c7f135c8f678fc8678dd2
                                                                          • Opcode Fuzzy Hash: d2142b08fbdaadab409b578960f5bed0ef27a318faa7fb70877fb601efd4c7f7
                                                                          • Instruction Fuzzy Hash: 9D215075A002599BDF04EFA4C8D5AFEB776BF44314F140868D501AB391DB39AA09CBA1
                                                                          Function 6BDDC4CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 6BDDC51E
                                                                          • EnumFontFamiliesExW.GDI32(00000000,?,6BDDC4B5,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6BDDC539
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 6BDDC541
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFamiliesFontRelease
                                                                          • String ID: xtk
                                                                          • API String ID: 264590589-2448746598
                                                                          • Opcode ID: f2063f51d2ce0e308424103c187d2387dd53e23416aae5fcc5abc6a8b5dd9353
                                                                          • Instruction ID: 35a78f8f162981ba28c8f8b1e907bc1ec1cb8e6c099ba7eac91abbbe825b4384
                                                                          • Opcode Fuzzy Hash: f2063f51d2ce0e308424103c187d2387dd53e23416aae5fcc5abc6a8b5dd9353
                                                                          • Instruction Fuzzy Hash: 3111C672D01218ABDB21DBB48C49EAF7BBCDF45714F540469E901EF140DB28EA04C7A1
                                                                          Function 6BD7FFB9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD6A17B: LoadLibraryW.KERNEL32(00000000,6BF22360,00000010,6BD7FFE4,comctl32.dll,?), ref: 6BD6A1BC
                                                                          • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6BD7FFF8
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 6BD80044
                                                                            • Part of subcall function 6BD7FBF7: GetLastError.KERNEL32(6BD7FFEF,comctl32.dll,?,?,00001000,?,?,?), ref: 6BD7FBF7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressErrorFreeLastLoadProc
                                                                          • String ID: DllGetVersion$comctl32.dll
                                                                          • API String ID: 2540614322-3857068685
                                                                          • Opcode ID: cd27c77f0f167d9d2feb925d9607ca3f7f60db82e3004b90d5239431bd9e0835
                                                                          • Instruction ID: ee7b07a8d3dfa093cf7892dc2fc58812d2238b916a600b9cb4450c51cad33df8
                                                                          • Opcode Fuzzy Hash: cd27c77f0f167d9d2feb925d9607ca3f7f60db82e3004b90d5239431bd9e0835
                                                                          • Instruction Fuzzy Hash: D3112376A106099BCB21AF68C895B9EB7F5EF85321F110039E800AF350DB7CC9048BB0
                                                                          Function 6BD7EBFA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7EC01
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 6BD7EC25
                                                                          • GetClassInfoW.USER32(?,?,?), ref: 6BD7EC60
                                                                            • Part of subcall function 6BD6F2D4: __EH_prolog3_catch.LIBCMT ref: 6BD6F2DB
                                                                            • Part of subcall function 6BD6F2D4: GetClassInfoW.USER32(?,?,?), ref: 6BD6F2ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
                                                                          • String ID: %Ts:%x:%x:%x:%x
                                                                          • API String ID: 937286869-4057404147
                                                                          • Opcode ID: 99427ad0e38251a90e1c0b9c254c797385c1ffebe3c01cd2923c828916e3d791
                                                                          • Instruction ID: 354ec5cfdb5bbb81237f09df231f11fbd68e841f4efb6ef85a49ac15b22cce88
                                                                          • Opcode Fuzzy Hash: 99427ad0e38251a90e1c0b9c254c797385c1ffebe3c01cd2923c828916e3d791
                                                                          • Instruction Fuzzy Hash: 29212C75D10208AFDB50EFB9C885BDDBBF4BF08328F104479E504EB240D7785A449B65
                                                                          Function 6BD7A14A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,80070057), ref: 6BD7A15B
                                                                          • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6BD7A16B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                          • API String ID: 1646373207-2994018265
                                                                          • Opcode ID: 0c45b2b52e63bf9bdb8eb4850f44afe8264ffa523859def8851f5d31d636c742
                                                                          • Instruction ID: 6d8602b9509afc72b1807f9b217b3dc8ccdc2c702d0950b57fe8ac28ca6b1b9d
                                                                          • Opcode Fuzzy Hash: 0c45b2b52e63bf9bdb8eb4850f44afe8264ffa523859def8851f5d31d636c742
                                                                          • Instruction Fuzzy Hash: 67016D3322010DFBDF222F98CC04BDA7BA6EB89361F424476FE5495020D77AC461EB60
                                                                          Function 03AF3A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___BuildCatchObject.LIBCMT ref: 03AF3A3A
                                                                            • Part of subcall function 03AF3995: ___BuildCatchObjectHelper.LIBCMT ref: 03AF39CB
                                                                          • _UnwindNestedFrames.LIBCMT ref: 03AF3A51
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3487967840-3733052814
                                                                          • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                          • Instruction ID: 7ccce86a718b08e1ec71d0673f0a951be244590977c4eb594e6ed50c4e24b896
                                                                          • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                          • Instruction Fuzzy Hash: 0A01E87900160ABFDF12EF91CD44EAB7F6AEF04354F044116BE18192A0D736D971DBA1
                                                                          Function 6BD7FD47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 6BD7FD62
                                                                          • GetClassNameW.USER32(?,?,0000000A), ref: 6BD7FD77
                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,?,?,6BD675A6), ref: 6BD7FD8E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClassCompareLongNameStringWindow
                                                                          • String ID: combobox
                                                                          • API String ID: 1414938635-2240613097
                                                                          • Opcode ID: 6e8ce92cd53a2cef269964b836ea45752623482a89bf7f504ff3f1ba848cb2f7
                                                                          • Instruction ID: ce08e153bb39ec82195017c9229a0a0dde9cd3c3131a9c6d1cd40e753b9c0411
                                                                          • Opcode Fuzzy Hash: 6e8ce92cd53a2cef269964b836ea45752623482a89bf7f504ff3f1ba848cb2f7
                                                                          • Instruction Fuzzy Hash: CCF0A432A64158ABCB10EF78CC06FEE77A8DB06730F900725F525EA0C0C674E50487A5
                                                                          Function 6BD7A1BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6BD7A1CB
                                                                          • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6BD7A1DB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                          • API String ID: 1646373207-3913318428
                                                                          • Opcode ID: 3803b981986eb11d6733d3b726a44927c3982ddf2ea2530b0f6f1478ad0af8d6
                                                                          • Instruction ID: 5f6c4025c172525f0506890d46b3e710608f8bc913866f1125375b398e08dd87
                                                                          • Opcode Fuzzy Hash: 3803b981986eb11d6733d3b726a44927c3982ddf2ea2530b0f6f1478ad0af8d6
                                                                          • Instruction Fuzzy Hash: 98F09633254109FBDF222F58DC09BE67BA5EB85762F014475F51199060DB77C461EBB0
                                                                          Function 6BDD9856 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,?,6BDD9C22,?,00000000,?,00000024), ref: 6BDD986D
                                                                          • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6BDD987D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetFileAttributesTransactedW$kernel32.dll
                                                                          • API String ID: 1646373207-1378992308
                                                                          • Opcode ID: 0397f6d29a472861f20a6a4551fbb27fd575e5016079b7521a33380111535b4a
                                                                          • Instruction ID: 8ae366af333cb4a5e4072450aeb01a92176fa5e87eff3d0b2cdfa62888044154
                                                                          • Opcode Fuzzy Hash: 0397f6d29a472861f20a6a4551fbb27fd575e5016079b7521a33380111535b4a
                                                                          • Instruction Fuzzy Hash: AAF01D32314209EFEF251F94DC94B6677A8EB05665F40487AE59099061C7BFC454EBA0
                                                                          Function 00021770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __current_exception.VCRUNTIME140 ref: 000217AF
                                                                          • __current_exception_context.VCRUNTIME140 ref: 000217B9
                                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000217C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3541338150.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                          • Associated: 00000003.00000002.3541291978.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541375098.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541410059.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3541444515.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __current_exception__current_exception_contextterminate
                                                                          • String ID: csm
                                                                          • API String ID: 2542180945-1018135373
                                                                          • Opcode ID: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
                                                                          • Instruction ID: fee3ce6806449a47d22f27ac16de2c17e19a9547f2d977005fe60887edde41f1
                                                                          • Opcode Fuzzy Hash: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
                                                                          • Instruction Fuzzy Hash: 59F0A7364083304F8B355E29B4455DDB7FDAFB13613540455D484CBA11CB30ED51C6D1
                                                                          Function 6BDD84CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • swprintf.LIBCMT ref: 6BDD84F8
                                                                          • GetFileAttributesW.KERNEL32(00000104,AFX,00000000,00000104,00000104,000000FF), ref: 6BDD8503
                                                                          • GetTempFileNameW.KERNEL32(000000FF,00000104,00000000,00000104,?,?,6BDB1169,?,AFX,00000000,00000104,00000104,000000FF), ref: 6BDD851B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesNameTempswprintf
                                                                          • String ID: %s%s%X.tmp
                                                                          • API String ID: 2659213859-596088238
                                                                          • Opcode ID: 3a63747bb31224ecaaea045f7142844e57f5fe9cd274352a062f9e68b1b25faf
                                                                          • Instruction ID: 92d4429b8c151a20ab9e46659dec5fd0a98c760a02f3867bb3030a93c09a247d
                                                                          • Opcode Fuzzy Hash: 3a63747bb31224ecaaea045f7142844e57f5fe9cd274352a062f9e68b1b25faf
                                                                          • Instruction Fuzzy Hash: F8F0D43651020AFBCF029FA4DD06B8E7BB6AF05369F504654FA15A80A0D77AD620AB60
                                                                          Function 6BEC3BE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6BEC3C7F,00000000,?,6BF3A3BC,?,?,?,6BEC3BB6,00000004,InitializeCriticalSectionEx,6BF03994,6BF0399C), ref: 6BEC3BF0
                                                                          • GetLastError.KERNEL32(?,6BEC3C7F,00000000,?,6BF3A3BC,?,?,?,6BEC3BB6,00000004,InitializeCriticalSectionEx,6BF03994,6BF0399C,00000000,?,6BEB8C3C), ref: 6BEC3BFA
                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6BEC3C22
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad$ErrorLast
                                                                          • String ID: api-ms-
                                                                          • API String ID: 3177248105-2084034818
                                                                          • Opcode ID: 63959a766e25eddd9002bd23e0db12f8e8e12c8b135cb4d020f3ffae8d4e3e24
                                                                          • Instruction ID: cad676d71f49f3bf839186f945b696efaaf4416b10fff2868d628452e0a71bad
                                                                          • Opcode Fuzzy Hash: 63959a766e25eddd9002bd23e0db12f8e8e12c8b135cb4d020f3ffae8d4e3e24
                                                                          • Instruction Fuzzy Hash: D5E0D831694204B7EF201A70CD06F4E3F58EB40B65F610830FA0DE80F1EB7AD5608655
                                                                          Function 6BDA21C0 Relevance: 6.3, APIs: 4, Instructions: 339keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B6AC: GetWindowLongW.USER32(?,000000EC), ref: 6BD7B6B9
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 6BDA22CA
                                                                          • GetClientRect.USER32(?,?), ref: 6BDA246C
                                                                          • SetScrollPos.USER32(00000000,00000002,?,00000001), ref: 6BDA255A
                                                                            • Part of subcall function 6BD9ED35: GetClientRect.USER32(?,?), ref: 6BD9ED6F
                                                                            • Part of subcall function 6BD9ED35: InflateRect.USER32(?,00000000,00000000), ref: 6BD9EDA9
                                                                            • Part of subcall function 6BD9ED35: SetRectEmpty.USER32(?), ref: 6BD9EE4D
                                                                            • Part of subcall function 6BD9ED35: SetRectEmpty.USER32(?), ref: 6BD9EE5A
                                                                            • Part of subcall function 6BD9ED35: GetSystemMetrics.USER32(00000002), ref: 6BD9EE7F
                                                                            • Part of subcall function 6BD9ED35: EqualRect.USER32(?,?), ref: 6BD9EF4C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClientEmpty$AsyncEqualInflateLongMetricsScrollStateSystemWindow
                                                                          • String ID:
                                                                          • API String ID: 3234605627-0
                                                                          • Opcode ID: 11a033b3f91306e613958ca8a5a3fa95f143e543a1ec96229e1ad1257204944e
                                                                          • Instruction ID: ec55bf46a494174c351e4bf190f0fab89dcf26c6bc0d3023c87593526190b682
                                                                          • Opcode Fuzzy Hash: 11a033b3f91306e613958ca8a5a3fa95f143e543a1ec96229e1ad1257204944e
                                                                          • Instruction Fuzzy Hash: 91C1CF30B00615CBDF05EB6AC8A4B7D7BA2BB49728F0400B9D9169F399DB78DD45CB90
                                                                          Function 6BEC1934 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetConsoleOutputCP.KERNEL32(92806F5A,00000000,00000000,?), ref: 6BEC1997
                                                                            • Part of subcall function 6BEB90A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BEBC889,?,00000000,-00000008), ref: 6BEB9102
                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BEC1BE9
                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BEC1C2F
                                                                          • GetLastError.KERNEL32 ref: 6BEC1CD2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                          • String ID:
                                                                          • API String ID: 2112829910-0
                                                                          • Opcode ID: f6678506366346c05e5ca01de3b88ba35211a5fe3c5877cd87f7972f21d24281
                                                                          • Instruction ID: 6f967cc693f0195a0af2986cddc74a12a216931b56f881a3104adb5622976ea2
                                                                          • Opcode Fuzzy Hash: f6678506366346c05e5ca01de3b88ba35211a5fe3c5877cd87f7972f21d24281
                                                                          • Instruction Fuzzy Hash: DBD17875D002589FCF05CFE9C980AEEBBB5EF09304F24416AE425AB351E738E946CB52
                                                                          Function 6BDCAFEB Relevance: 6.3, APIs: 4, Instructions: 283keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Empty$StateWindow
                                                                          • String ID:
                                                                          • API String ID: 2684165152-0
                                                                          • Opcode ID: 0556e302d042c77a1ac1658c4e638d335d99e9d6ba43c53e356890f2542b8410
                                                                          • Instruction ID: 599484c076233f1715c1c091e1d085e0a3133a71b3d8c328f92ddfcd739c2118
                                                                          • Opcode Fuzzy Hash: 0556e302d042c77a1ac1658c4e638d335d99e9d6ba43c53e356890f2542b8410
                                                                          • Instruction Fuzzy Hash: 13A1D735A00219DFDF15DF64C855BAEBBB6FF49320F144059E815AB290DB39ED01CBA1
                                                                          Function 6BD9FCFC Relevance: 6.2, APIs: 4, Instructions: 250windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD9FD06
                                                                          • GetMenuItemCount.USER32(?), ref: 6BD9FDC6
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 6BD9FDE6
                                                                          • GetSubMenu.USER32(?,00000000), ref: 6BD9FF05
                                                                            • Part of subcall function 6BD8D83B: __EH_prolog3.LIBCMT ref: 6BD8D842
                                                                            • Part of subcall function 6BD8D83B: SetRectEmpty.USER32(?), ref: 6BD8D9FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountEmptyH_prolog3H_prolog3_Rect
                                                                          • String ID:
                                                                          • API String ID: 2186202558-0
                                                                          • Opcode ID: 663a0cc0a93530bcf5bf0e5e3bf2d59abba7c571e9c49418e1b8c6ef4f1d7bba
                                                                          • Instruction ID: 1e76ae2cdc0968fc0906a1eb73de6a62e685bab29618f6d95bb569a758375ca8
                                                                          • Opcode Fuzzy Hash: 663a0cc0a93530bcf5bf0e5e3bf2d59abba7c571e9c49418e1b8c6ef4f1d7bba
                                                                          • Instruction Fuzzy Hash: A3A17031A00629DBDF24EF64CC54BEDB7B5AF45324F1002E9E419AB291DB39AE45CF90
                                                                          Function 6BD8382B Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000,6BEDDE20), ref: 6BD83919
                                                                          • DrawThemeParentBackground.UXTHEME(?,?,00000000), ref: 6BD83933
                                                                          • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,00000000,00000000), ref: 6BD8394F
                                                                          • GetBkColor.GDI32(?), ref: 6BD83961
                                                                            • Part of subcall function 6BD80831: SetBkColor.GDI32(?,?), ref: 6BD8084A
                                                                            • Part of subcall function 6BD80831: ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6BD8087C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: BackgroundTheme$ColorDraw$ParentPartiallyTextTransparent
                                                                          • String ID:
                                                                          • API String ID: 501873518-0
                                                                          • Opcode ID: d091676935ec77fece3dc439d91127a92fd89f40f4b3bf84e145aee8fe0f340c
                                                                          • Instruction ID: 89c7bd93c824ff91e3ef26b4e274cf5b3fc7c58292e3c21ccc10cc36a9acef8c
                                                                          • Opcode Fuzzy Hash: d091676935ec77fece3dc439d91127a92fd89f40f4b3bf84e145aee8fe0f340c
                                                                          • Instruction Fuzzy Hash: A7912E71E00219EFDF21DF99C845BAEBBB5EF48721F148155F918BB290C7799940CBA0
                                                                          Function 6BEB8316 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustPointer
                                                                          • String ID:
                                                                          • API String ID: 1740715915-0
                                                                          • Opcode ID: b062c43acf97a3a2d89263ec56f384b095575241f57aee0354ca95a548bf4960
                                                                          • Instruction ID: 698d7d65cfdb1efdb67f7e18e9731924fe71fb3d01b6d925f88a6614c50872e5
                                                                          • Opcode Fuzzy Hash: b062c43acf97a3a2d89263ec56f384b095575241f57aee0354ca95a548bf4960
                                                                          • Instruction Fuzzy Hash: C951F272904603AFEB198F20CB41B6E77A5FF10719F34416DD8115B7A0E739E951C7A0
                                                                          Function 6BDA1ACB Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3InvalidateParentRectUpdateWindow
                                                                          • String ID:
                                                                          • API String ID: 1954703720-0
                                                                          • Opcode ID: 7821c6678536cc03033c90f06028a641b4ded90b4f3ac557775f88af6510917c
                                                                          • Instruction ID: 1d50a2ba78a9499ac7d0bb41c45d0f797b2099d43fbf63927233ce85f211218a
                                                                          • Opcode Fuzzy Hash: 7821c6678536cc03033c90f06028a641b4ded90b4f3ac557775f88af6510917c
                                                                          • Instruction Fuzzy Hash: CD518374600A16DFDB149F79C884BA9B7E5BF4A721F000579E829CF2D0DB78A844DFA0
                                                                          Function 6BD86DBA Relevance: 6.1, APIs: 4, Instructions: 144registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD86DC4
                                                                            • Part of subcall function 6BD7A8ED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A992
                                                                            • Part of subcall function 6BD7A8ED: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6BD7A9A1
                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 6BD86F49
                                                                          • RegCloseKey.ADVAPI32(?), ref: 6BD86F5C
                                                                          • RegCloseKey.ADVAPI32(?), ref: 6BD86FB6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Close$EnumH_prolog3_Value
                                                                          • String ID:
                                                                          • API String ID: 431837299-0
                                                                          • Opcode ID: 529f126eabe32713fa69a8cfe26e28468d19bf0c8c3ab16557f013381ed72690
                                                                          • Instruction ID: 509b8179d33d476973ffba3383a78773b45f4d39b371de39f044b42dec91d9d6
                                                                          • Opcode Fuzzy Hash: 529f126eabe32713fa69a8cfe26e28468d19bf0c8c3ab16557f013381ed72690
                                                                          • Instruction Fuzzy Hash: 4A5142B19111289BCB21DF64CC84BDEBBBCEF49624F4001D9E609AB251DB749F85CFA4
                                                                          Function 6BEC00BC Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ebf7d52085eeb7ff4d8d358789879587063d5512f5d8e576b44bfb1bceff567
                                                                          • Instruction ID: bfbd383c47eaa9ca7d44b19065601c8205a127496c74df3e7a42c933954364ea
                                                                          • Opcode Fuzzy Hash: 7ebf7d52085eeb7ff4d8d358789879587063d5512f5d8e576b44bfb1bceff567
                                                                          • Instruction Fuzzy Hash: 524127B2A00308AFE7258F78CD41B5BBBB9EF89714F30452EE121DB392D77999018781
                                                                          Function 6BD9DEE0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EmptyRect
                                                                          • String ID:
                                                                          • API String ID: 2270935405-0
                                                                          • Opcode ID: 6aab1b68151036bc6fd92e0e10f792b98b4be0d4ac1b49dffe1a8e906c4dbb15
                                                                          • Instruction ID: 7be52405f994afc00c27c59e6e61bfb8f03ea0e5d795493997e9e70abaea8abf
                                                                          • Opcode Fuzzy Hash: 6aab1b68151036bc6fd92e0e10f792b98b4be0d4ac1b49dffe1a8e906c4dbb15
                                                                          • Instruction Fuzzy Hash: AD51E6B0821265CFCB24DF2985C46E53BA8FB09B60F0841BBED4CCE65ACBB44145DFA1
                                                                          Function 6BD7A3A4 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,6BF17FB4,?,00001000,?), ref: 6BD7A4F1
                                                                            • Part of subcall function 6BD7A899: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6BD7A2C8,?,00000000), ref: 6BD7A8DE
                                                                          • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,92806F5A,?,?,?,?,6BECBB61,000000FF), ref: 6BD7A43F
                                                                          • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6BECBB61,000000FF), ref: 6BD7A47B
                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6BECBB61,000000FF), ref: 6BD7A495
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue$PrivateProfileString
                                                                          • String ID:
                                                                          • API String ID: 2114517702-0
                                                                          • Opcode ID: 3029b822a66f2c35abc02897d6e036af3e25ec359fffb96fff1166de97e657d5
                                                                          • Instruction ID: d84b275a602399a41684ddc2f32c7f9ab42595036510e32948db9b1105a2a8a5
                                                                          • Opcode Fuzzy Hash: 3029b822a66f2c35abc02897d6e036af3e25ec359fffb96fff1166de97e657d5
                                                                          • Instruction Fuzzy Hash: 3B419071900229DFDB25DF24CC49AEEB7B8EF04364F0044AAE419AB281DB389E55DF60
                                                                          Function 6BD9A7B8 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 6BD9A851
                                                                          • ScreenToClient.USER32(000000FF,?), ref: 6BD9A861
                                                                          • PtInRect.USER32(000000D8,?,?), ref: 6BD9A874
                                                                          • PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6BD9A88F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ClientCursorMessagePostRectScreen
                                                                          • String ID:
                                                                          • API String ID: 1913696736-0
                                                                          • Opcode ID: 1ac5fc79be26e8e6bcdfbaefcfb762beddedeab2e51416b73cb0b85e2adbcf9e
                                                                          • Instruction ID: 4c918800b2b4fcb40127292f736f4810ebb0c57defece6aa40ea007505d4c3b3
                                                                          • Opcode Fuzzy Hash: 1ac5fc79be26e8e6bcdfbaefcfb762beddedeab2e51416b73cb0b85e2adbcf9e
                                                                          • Instruction Fuzzy Hash: 2031E476E00219EFCB19BB64D844B9D7B75FF49360B2001A5E8159B250DB38DD06EBA0
                                                                          Function 6BDFDDCA Relevance: 6.1, APIs: 4, Instructions: 109windowstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDFDDD1
                                                                          • SendMessageW.USER32(?,00000421,00000001,?), ref: 6BDFDE68
                                                                          • SendMessageW.USER32(?,00000421,00000001,?), ref: 6BDFDE7D
                                                                          • lstrcpyW.KERNEL32(00000000,00000010,00000000,00000010,6BD94DF1,00000000,?,00000002,?,?), ref: 6BDFDEAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$H_prolog3lstrcpy
                                                                          • String ID:
                                                                          • API String ID: 3361160815-0
                                                                          • Opcode ID: 7e5ada532caeb30184d9e16cee6804027aa1d309abefa3cbaa2b2413ba339b67
                                                                          • Instruction ID: fd6d7d36105ddaa6f1c44087be464907b3a515990b13fcc5f54f09eb650527c4
                                                                          • Opcode Fuzzy Hash: 7e5ada532caeb30184d9e16cee6804027aa1d309abefa3cbaa2b2413ba339b67
                                                                          • Instruction Fuzzy Hash: 1E41E372A54246DBEF04DF64C886BAE77B9FF14328F114868E4619F2D0DB38D906CB60
                                                                          Function 6BD7D8B0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BD7D8B7
                                                                          • GetClientRect.USER32(6BEDD79C,?), ref: 6BD7D906
                                                                            • Part of subcall function 6BD6B073: GetScrollPos.USER32(?,?), ref: 6BD6B09F
                                                                            • Part of subcall function 6BD86155: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6BD7D938,?,?,?,?,?,?,?,?,00000008), ref: 6BD86164
                                                                            • Part of subcall function 6BD86155: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6BD86174
                                                                            • Part of subcall function 6BD86155: EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6BD8617D
                                                                          • CreateCompatibleDC.GDI32(?), ref: 6BD7D9A2
                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6BD7D9C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
                                                                          • String ID:
                                                                          • API String ID: 1015973060-0
                                                                          • Opcode ID: e360c34db876c87a64dd78ae2febb1d3137411eaf646211c406046dae7bc5ce0
                                                                          • Instruction ID: cd4943d116b12305ad4d394b552a222de64920d11a94abd6835d68e8c0c35de1
                                                                          • Opcode Fuzzy Hash: e360c34db876c87a64dd78ae2febb1d3137411eaf646211c406046dae7bc5ce0
                                                                          • Instruction Fuzzy Hash: 9B411DB0900606EFDB10DF69C985B99FBB4BF08368F00857DE4598BA51E778E954CFA0
                                                                          Function 6BD6E42F Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7B682: GetWindowLongW.USER32(458BF84D,000000F0), ref: 6BD7B68F
                                                                          • GetClientRect.USER32(?,?), ref: 6BD6E497
                                                                          • IsMenu.USER32(00000000), ref: 6BD6E4D3
                                                                          • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6BD6E4EB
                                                                          • GetClientRect.USER32(?,?), ref: 6BD6E533
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClientWindow$AdjustLongMenu
                                                                          • String ID:
                                                                          • API String ID: 3435883281-0
                                                                          • Opcode ID: e7a472f2b86dc00df0e30cd55a1770e95c7289b8ee571fe1a1cc136823e9d2e2
                                                                          • Instruction ID: 5e8eea8d7698378a73dd4049ec8c2373333ce8b9a6aa052e88fb48055f18c89c
                                                                          • Opcode Fuzzy Hash: e7a472f2b86dc00df0e30cd55a1770e95c7289b8ee571fe1a1cc136823e9d2e2
                                                                          • Instruction Fuzzy Hash: 0E318571E10209AFDB10DBB5CD59BBEBBB9EF45264F114569E901EB240EB34EA40C7A0
                                                                          Function 03AEE3FC Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03AEE430
                                                                          • __isleadbyte_l.LIBCMT ref: 03AEE463
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,03AE701E,?,00000000,00000000,?,?,?,?,03AE701E,00000000), ref: 03AEE494
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,03AE701E,00000001,00000000,00000000,?,?,?,?,03AE701E,00000000), ref: 03AEE502
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                          • Instruction ID: b3b640079d802748cfc658fd44f904afe9139a8170a32847a192000884e9a9b2
                                                                          • Opcode Fuzzy Hash: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                          • Instruction Fuzzy Hash: 28319236A00256EFDB21DFA8C880DB97BF5FF05221B1D85AEE4658B191E332D940DB51
                                                                          Function 6BDE8D10 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClientEmptyWindow
                                                                          • String ID:
                                                                          • API String ID: 742297903-0
                                                                          • Opcode ID: 81ec21182ca8299dcab61d8cb3829c99b22802934ad75c43ff0413b40bcc18eb
                                                                          • Instruction ID: 30face491d7f21c8d05a0798f0844bfd2e232daae1eb6b88ff912ddf780f8256
                                                                          • Opcode Fuzzy Hash: 81ec21182ca8299dcab61d8cb3829c99b22802934ad75c43ff0413b40bcc18eb
                                                                          • Instruction Fuzzy Hash: CF317C74A00209DFCB00DF28C985AADB7B5FF49324B148569E819EB391DB38ED41CFA0
                                                                          Function 6BD898EF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetRectEmpty.USER32(6BD89ED9), ref: 6BD898FB
                                                                          • GetClientRect.USER32(00000000,6BD89ED9), ref: 6BD8991B
                                                                          • GetParent.USER32(00000000), ref: 6BD8993A
                                                                          • OffsetRect.USER32(6BD89ED9,00000000,00000000), ref: 6BD899BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$ClientEmptyOffsetParent
                                                                          • String ID:
                                                                          • API String ID: 3819956977-0
                                                                          • Opcode ID: 1d4d9bb8eae36517a10c71c7246c3709be5e022cc0bb538c1d93bd47ed0dc97f
                                                                          • Instruction ID: c4e4cbe837204a871a8b52c3486e6eb2b5eb0cec62c2735eaf92e3a3bc2395a9
                                                                          • Opcode Fuzzy Hash: 1d4d9bb8eae36517a10c71c7246c3709be5e022cc0bb538c1d93bd47ed0dc97f
                                                                          • Instruction Fuzzy Hash: 0431AF71200602EFD718DF65C896F29B7A4FF45361B10826DE85A8F681EB28EC11CBB0
                                                                          Function 03AE4407 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 03AE4425
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 03AE4434
                                                                          • WaitForSingleObject.KERNEL32(?,00001770), ref: 03AE4482
                                                                            • Part of subcall function 03AE3F37: GetCurrentThreadId.KERNEL32 ref: 03AE3F3C
                                                                            • Part of subcall function 03AE3F37: send.WS2_32(?,10017440,00000010,00000000), ref: 03AE3F9D
                                                                            • Part of subcall function 03AE3F37: SetEvent.KERNEL32(?), ref: 03AE3FC0
                                                                            • Part of subcall function 03AE3F37: InterlockedExchange.KERNEL32(?,00000000), ref: 03AE3FCC
                                                                            • Part of subcall function 03AE3F37: WSACloseEvent.WS2_32(?), ref: 03AE3FDA
                                                                            • Part of subcall function 03AE3F37: shutdown.WS2_32(?,00000001), ref: 03AE3FF2
                                                                            • Part of subcall function 03AE3F37: closesocket.WS2_32(?), ref: 03AE3FFC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EventExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                          • String ID:
                                                                          • API String ID: 4080316033-0
                                                                          • Opcode ID: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                          • Instruction ID: a11616aa96d823064be767ace44299e4630279b8ddafa7db4cc96026fa0eccac
                                                                          • Opcode Fuzzy Hash: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                          • Instruction Fuzzy Hash: AD216176600704ABD620EFB9DD84B97B3E8EF9D711F044A1EF58ACB650D672E404CBA1
                                                                          Function 6BE6A6A9 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BE6A6B3
                                                                          • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6BDE6D3C,?,00000000,00000000,0000005C), ref: 6BE6A757
                                                                          • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6BDE6D3C,?,00000000,00000000,0000005C), ref: 6BE6A797
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6BDE6D3C,?,00000000,00000000), ref: 6BE6A7B5
                                                                            • Part of subcall function 6BD60447: __EH_prolog3.LIBCMT ref: 6BD6044E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
                                                                          • String ID:
                                                                          • API String ID: 655328227-0
                                                                          • Opcode ID: cccdc7f328026b61095171be48ad64ecd50dac5a0e507421a97a5559ed7d81c8
                                                                          • Instruction ID: dd7a18a25aad13122702d9511f7af5776729e0cfd733db4872a56e9e45606af3
                                                                          • Opcode Fuzzy Hash: cccdc7f328026b61095171be48ad64ecd50dac5a0e507421a97a5559ed7d81c8
                                                                          • Instruction Fuzzy Hash: 4331C871A4421D9BDF14AF74CC89B9D7778EF00368F1001A9E4059B290DB399E91DFA0
                                                                          Function 6BD66F13 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$EqualInflateParentWindow
                                                                          • String ID:
                                                                          • API String ID: 719057501-0
                                                                          • Opcode ID: 1985085e37767ea55cfaa738406af9dfecab63dc20a2f60d4bb709f7e8f4a85c
                                                                          • Instruction ID: b12d6ef601aba018e72253cfb2c99c470ab11fe142bd67ffd830a5b446a6353d
                                                                          • Opcode Fuzzy Hash: 1985085e37767ea55cfaa738406af9dfecab63dc20a2f60d4bb709f7e8f4a85c
                                                                          • Instruction Fuzzy Hash: EE318C71A10209DBCF00DFB4C955AEEB7B9FF0D354F10056AE905EB250EB39EA448B60
                                                                          Function 6BDFC0C3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 6BDFC12C
                                                                          • EqualRect.USER32(?,?), ref: 6BDFC152
                                                                          • BeginDeferWindowPos.USER32(?), ref: 6BDFC15F
                                                                          • EndDeferWindowPos.USER32(00000000), ref: 6BDFC185
                                                                            • Part of subcall function 6BDEB8C5: GetWindowRect.USER32(?,?), ref: 6BDEB8D9
                                                                            • Part of subcall function 6BDEB8C5: GetParent.USER32(?), ref: 6BDEB92F
                                                                            • Part of subcall function 6BDEB8C5: GetParent.USER32(?), ref: 6BDEB942
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rect$DeferParent$BeginEqual
                                                                          • String ID:
                                                                          • API String ID: 2054780619-0
                                                                          • Opcode ID: 5a6cd52ceb09f2ea5fb6ea5698bc92a67de4e867cfb4926db5b914271f460dec
                                                                          • Instruction ID: cd6c01b9d64ba995864bacdaf1d494d00674caf328b16bb37fb511dacfa964d3
                                                                          • Opcode Fuzzy Hash: 5a6cd52ceb09f2ea5fb6ea5698bc92a67de4e867cfb4926db5b914271f460dec
                                                                          • Instruction Fuzzy Hash: CC31C430E04609EBCF00DF74C980ADEB7B9BF09314F55416AE805AB150DB34EA65CBA0
                                                                          Function 6BEBEB69 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BEB90A1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BEBC889,?,00000000,-00000008), ref: 6BEB9102
                                                                          • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6BEBEBCD
                                                                          • __dosmaperr.LIBCMT ref: 6BEBEBD4
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BEBEC0E
                                                                          • __dosmaperr.LIBCMT ref: 6BEBEC15
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1913693674-0
                                                                          • Opcode ID: 6ad869c71ea2885d0d2f8755bab8394996d3ddeda5498473da3788fbd108e71c
                                                                          • Instruction ID: 9967627c7af151162721ca5faac28d5fdabe12ed05283bfb7b3b9d8ea35e53de
                                                                          • Opcode Fuzzy Hash: 6ad869c71ea2885d0d2f8755bab8394996d3ddeda5498473da3788fbd108e71c
                                                                          • Instruction Fuzzy Hash: E121F831614A05AFDB109F75C9C182BB7ACFF413687208D9CE91A9B250EB3CEC108B90
                                                                          Function 6BD9C757 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32(?,?), ref: 6BD9C779
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C7A3
                                                                            • Part of subcall function 6BD9A412: ScreenToClient.USER32(?,?), ref: 6BD9A42E
                                                                            • Part of subcall function 6BD9A412: GetParent.USER32(?), ref: 6BD9A43E
                                                                            • Part of subcall function 6BD9A412: GetClientRect.USER32(?,?), ref: 6BD9A4D1
                                                                            • Part of subcall function 6BD9A412: MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9A4E3
                                                                            • Part of subcall function 6BD9A412: PtInRect.USER32(?,?,?), ref: 6BD9A4F3
                                                                          • MapWindowPoints.USER32(?,?,?,00000001), ref: 6BD9C7CC
                                                                          • SendMessageW.USER32(?,00000202,?,?), ref: 6BD9C7EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                                                          • String ID:
                                                                          • API String ID: 2689702638-0
                                                                          • Opcode ID: 143247e00fb50081fd1a25967c73eec35e0f07935f65cdcbb4e98adaeb4c27be
                                                                          • Instruction ID: 25a574900de6cbe75c7ea6e4d6192eecc617df4626a8055e9ab693887ebba7c5
                                                                          • Opcode Fuzzy Hash: 143247e00fb50081fd1a25967c73eec35e0f07935f65cdcbb4e98adaeb4c27be
                                                                          • Instruction Fuzzy Hash: F731D531A10609EBCF16EF74DC04AAE7BB6FF49760F10412AF8599A120EB35DA10DB90
                                                                          Function 6BD6457F Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RedrawWindow.USER32(00000041,?,?,00000041), ref: 6BD645A2
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 6BD645E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: InflateRectRedrawWindow
                                                                          • String ID:
                                                                          • API String ID: 3190756164-0
                                                                          • Opcode ID: dfb437637f10cabe4ce3c7b8acbce184fd8e36cdec5bd65fbc496c19d0ca2f77
                                                                          • Instruction ID: 8b05cfcccb3a8f7c16cc8bcded0844d71509c02800818b71a0ae253eed1dd73b
                                                                          • Opcode Fuzzy Hash: dfb437637f10cabe4ce3c7b8acbce184fd8e36cdec5bd65fbc496c19d0ca2f77
                                                                          • Instruction Fuzzy Hash: 33218D7151410AEFCF10EFA4CC44EAE777AFB06378B204229F520AB1A0D739DA488B60
                                                                          Function 6BEB0457 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ea86aa43369a337c2ae869c20ef8008e6e39270bddfd71f34b490c665ae46eec
                                                                          • Instruction ID: 2e436d4de3c05d156a6a2a9b8f84d81c196b39e16bc4c1ba55a00901bd918570
                                                                          • Opcode Fuzzy Hash: ea86aa43369a337c2ae869c20ef8008e6e39270bddfd71f34b490c665ae46eec
                                                                          • Instruction Fuzzy Hash: 6511E772615208ABDF211BB58F46F4A7BA9FF42764F3101A8E511DB292E779E900C6A0
                                                                          Function 6BD9CF03 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyMenu.USER32(?,92806F5A,?,?,?,Function_0019BAD0,000000FF), ref: 6BD9CF54
                                                                          • IsWindow.USER32(?), ref: 6BD9CF65
                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD9CF79
                                                                          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6BD9CFD6
                                                                            • Part of subcall function 6BE0FED1: GetParent.USER32(00000000), ref: 6BE0FF58
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ContextExternal$BaseBase::~Concurrency::details::DestroyMenuMessageParentSendWindow
                                                                          • String ID:
                                                                          • API String ID: 3377428259-0
                                                                          • Opcode ID: 1b3033627e74a5c1b9a176647eb6eb3382e3f0777bb47348b5672037518ee0b3
                                                                          • Instruction ID: 19dc2e96b4a675ba091a5034f83f5783ddad4f427298ee3cb53ae3c7a8143e4d
                                                                          • Opcode Fuzzy Hash: 1b3033627e74a5c1b9a176647eb6eb3382e3f0777bb47348b5672037518ee0b3
                                                                          • Instruction Fuzzy Hash: 5C217E312157418BCB25DF35C891BFAB7A8FF45764F10085DE4AB8B290DB79A646CB20
                                                                          Function 03AE4357 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetLastError.KERNEL32(0000139F), ref: 03AE43C3
                                                                            • Part of subcall function 03AE1377: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03AE13A2
                                                                            • Part of subcall function 03AE4C27: HeapFree.KERNEL32(?,00000000,?,00000000,03AE4E0C,?,03AE429F,03AE4E0C,00000000,?,00000001,03AE4E0C,?), ref: 03AE4C4E
                                                                          • SetLastError.KERNEL32(00000000,?), ref: 03AE43AE
                                                                          • SetLastError.KERNEL32(00000057), ref: 03AE43D8
                                                                          • WSAGetLastError.WS2_32(?), ref: 03AE43E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$Heap$AllocateFree
                                                                          • String ID:
                                                                          • API String ID: 2037364846-0
                                                                          • Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                          • Instruction ID: 07093cdd2e5ec430bf42aae92b5583b3c4f8995d32c5c22868d11f6c831d27c7
                                                                          • Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                          • Instruction Fuzzy Hash: DD11A736A0562897D710EFAAE8845EEB7A8EB89322B0941ABED0CDB300D635C91146D0
                                                                          Function 6BD9C461 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KillTimer.USER32(?,0000EC17), ref: 6BD9C475
                                                                          • KillTimer.USER32(?,0000EC18), ref: 6BD9C483
                                                                          • IsWindow.USER32(?), ref: 6BD9C4F3
                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6BD9C51A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: KillTimer$MessagePostWindow
                                                                          • String ID:
                                                                          • API String ID: 3970157719-0
                                                                          • Opcode ID: 344174fbf1514f5622371dad92b23cd1341630c7fad15944f592d66e929e6b2b
                                                                          • Instruction ID: e7aa08e86d231808efd93a15a18ab74d379d65a6b0b5827caf4bd0c5a77d4a1a
                                                                          • Opcode Fuzzy Hash: 344174fbf1514f5622371dad92b23cd1341630c7fad15944f592d66e929e6b2b
                                                                          • Instruction Fuzzy Hash: 1D219F32710605EFEF04AF64D895BAD7BB5BF89320F1000B9D9019F2A1EB78E905DB90
                                                                          Function 03AEE5AE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 03AEE5BC
                                                                            • Part of subcall function 03AE6E5A: __FF_MSGBANNER.LIBCMT ref: 03AE6E73
                                                                            • Part of subcall function 03AE6E5A: __NMSG_WRITE.LIBCMT ref: 03AE6E7A
                                                                            • Part of subcall function 03AE6E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 03AE6E9F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_malloc
                                                                          • String ID:
                                                                          • API String ID: 501242067-0
                                                                          • Opcode ID: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                          • Instruction ID: 42f1eea5f1ac3554cbc2d4db561b86a9a139cddd6ddee95d4df6cb13ea85cb3a
                                                                          • Opcode Fuzzy Hash: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                          • Instruction Fuzzy Hash: D711A736400711EADF31EB789904A5E3BA9EB44271F15846BF9599E290EF3AC84086A5
                                                                          Function 6BD9C853 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClientRect.USER32 ref: 6BD9C885
                                                                          • PtInRect.USER32(?,?,?), ref: 6BD9C89E
                                                                            • Part of subcall function 6BD9A412: ScreenToClient.USER32(?,?), ref: 6BD9A42E
                                                                            • Part of subcall function 6BD9A412: GetParent.USER32(?), ref: 6BD9A43E
                                                                            • Part of subcall function 6BD9A412: GetClientRect.USER32(?,?), ref: 6BD9A4D1
                                                                            • Part of subcall function 6BD9A412: MapWindowPoints.USER32(?,?,?,00000002), ref: 6BD9A4E3
                                                                            • Part of subcall function 6BD9A412: PtInRect.USER32(?,?,?), ref: 6BD9A4F3
                                                                          • MapWindowPoints.USER32(?,?,?,00000001), ref: 6BD9C8D4
                                                                          • SendMessageW.USER32(?,00000201,?,?), ref: 6BD9C8F3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                                                          • String ID:
                                                                          • API String ID: 2689702638-0
                                                                          • Opcode ID: 3a54c69745240b23e9998485fa1e360d44ecaa47c0a97d1b9879fbdc846e66b2
                                                                          • Instruction ID: 8da7077bd76df350440ea37abe244e159bb88ffe1433dc54a2a71d7c872b2874
                                                                          • Opcode Fuzzy Hash: 3a54c69745240b23e9998485fa1e360d44ecaa47c0a97d1b9879fbdc846e66b2
                                                                          • Instruction Fuzzy Hash: F6218E35A1030EEBCF159F65C805AEE7BB6FF48314F00452AF816AA150EB75DA64DFA0
                                                                          Function 6BD89AAA Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BeginDeferWindowPos.USER32(?), ref: 6BD89AC8
                                                                          • IsWindow.USER32(?), ref: 6BD89AE3
                                                                          • DeferWindowPos.USER32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 6BD89B2C
                                                                          • EndDeferWindowPos.USER32(00000000), ref: 6BD89B37
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Defer$Begin
                                                                          • String ID:
                                                                          • API String ID: 2880567340-0
                                                                          • Opcode ID: c6bc9261fc12b2e0ac8dc9cb6e8b842a8c3d16ceb6e528a2dde6eaf5891c03d2
                                                                          • Instruction ID: 394aa6f31ed23333d75cb2257266b854bf4f84109829ccdaf9cc79ca4b58338c
                                                                          • Opcode Fuzzy Hash: c6bc9261fc12b2e0ac8dc9cb6e8b842a8c3d16ceb6e528a2dde6eaf5891c03d2
                                                                          • Instruction Fuzzy Hash: 80116D71E10209AFDB01CFA9C885BBEBBF9FF08315F500569E541E7261D738A940DBA0
                                                                          Function 6BD6EA82 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6BD6EABC
                                                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6BD6EAE6
                                                                          • GetCapture.USER32 ref: 6BD6EAFC
                                                                          • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6BD6EB0B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Capture
                                                                          • String ID:
                                                                          • API String ID: 1665607226-0
                                                                          • Opcode ID: b40858a3f821e55b00d843a06e084dad18c322ab95713918873a2de4496032bd
                                                                          • Instruction ID: d946fd97ba83c2da00a4e3c01d2c81f2be61e0654b34a6c78596b39875528961
                                                                          • Opcode Fuzzy Hash: b40858a3f821e55b00d843a06e084dad18c322ab95713918873a2de4496032bd
                                                                          • Instruction Fuzzy Hash: 2C118271320619BFEA211B308C89FBA766EFF49794F050465F601AF2E5EB558C0196A0
                                                                          Function 6BD71DB6 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(00000000), ref: 6BD71E03
                                                                          • GetWindowRect.USER32(?,?), ref: 6BD71E1F
                                                                          • PtInRect.USER32(?,00000000,00000000), ref: 6BD71E2F
                                                                          • CallNextHookEx.USER32(?,?,?), ref: 6BD71E57
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$CallCursorHookNextWindow
                                                                          • String ID:
                                                                          • API String ID: 3719484595-0
                                                                          • Opcode ID: b6fb2023b0f2a99fe39b56dff606b5b202450e2eeeedc99d09c86b53b2b257b7
                                                                          • Instruction ID: 4e3964d1e37ea4fdccd910cfd1a057d34e44ef41ebb979ab335aa6bf48ae3db6
                                                                          • Opcode Fuzzy Hash: b6fb2023b0f2a99fe39b56dff606b5b202450e2eeeedc99d09c86b53b2b257b7
                                                                          • Instruction Fuzzy Hash: 4E215C31A1121ADBCF11EFA4C919FEE7BB9EF06325F404269F915EA060D738D644AB90
                                                                          Function 03AE3BC7 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAEventSelect.WS2_32(03AE3A92,00000001,00000023), ref: 03AE3BD9
                                                                          • WSAGetLastError.WS2_32 ref: 03AE3BE4
                                                                          • send.WS2_32(00000001,00000000,00000000,00000000), ref: 03AE3C2F
                                                                          • WSAGetLastError.WS2_32 ref: 03AE3C3A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$EventSelectsend
                                                                          • String ID:
                                                                          • API String ID: 259408233-0
                                                                          • Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                          • Instruction ID: dd37518d2d7c35c32f31b6025f664f494c998a9174dc291625a08009a3336cfd
                                                                          • Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                          • Instruction Fuzzy Hash: 17118CBA200710ABD720DB79C8C8A57B6E9FBC8724B444A2EE556C7A90C732E404CB10
                                                                          Function 6BD7A31B Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6BD7A356
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 6BD7A35F
                                                                          • swprintf.LIBCMT ref: 6BD7A37C
                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6BD7A38D
                                                                            • Part of subcall function 6BD7A899: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6BD7A2C8,?,00000000), ref: 6BD7A8DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Close$PrivateProfileStringValueWriteswprintf
                                                                          • String ID:
                                                                          • API String ID: 581541481-0
                                                                          • Opcode ID: eb714c5ab7dd9d9936dd4ca7535ce0cbc189f35559548ac49abed77cab2a542c
                                                                          • Instruction ID: 953a6f731f0df8acc351ddbb82631ad164c5d8203ad51a360a08f053c60a4d25
                                                                          • Opcode Fuzzy Hash: eb714c5ab7dd9d9936dd4ca7535ce0cbc189f35559548ac49abed77cab2a542c
                                                                          • Instruction Fuzzy Hash: 23016172510708BBDB21EF64CC46FAE77ADEB49614F51086AF601AB150D7B9ED048760
                                                                          Function 6BD6E6DE Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectW.GDI32(?,0000000C,?), ref: 6BD6E729
                                                                          • SetBkColor.GDI32(?,?), ref: 6BD6E733
                                                                          • GetSysColor.USER32(00000008), ref: 6BD6E743
                                                                          • SetTextColor.GDI32(?,?), ref: 6BD6E74B
                                                                            • Part of subcall function 6BD7FD47: GetWindowLongW.USER32(?,000000F0), ref: 6BD7FD62
                                                                            • Part of subcall function 6BD7FD47: GetClassNameW.USER32(?,?,0000000A), ref: 6BD7FD77
                                                                            • Part of subcall function 6BD7FD47: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,?,?,6BD675A6), ref: 6BD7FD8E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ClassCompareLongNameObjectStringTextWindow
                                                                          • String ID:
                                                                          • API String ID: 3274569906-0
                                                                          • Opcode ID: 0119e469d823890ce2beec509f7a4b1ef1369fc96204519664e62b1a34413d96
                                                                          • Instruction ID: eb015855d03673a9606f099a99b7512bdf51fd80313aef1c7d436a377596b544
                                                                          • Opcode Fuzzy Hash: 0119e469d823890ce2beec509f7a4b1ef1369fc96204519664e62b1a34413d96
                                                                          • Instruction Fuzzy Hash: A001AD31630104EBDB24DFB8CC41AAE73A9EB0A660F404965E821DA180EB38DA0597E4
                                                                          Function 6BD74FC8 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 6BD74FE4
                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 6BD74FF7
                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 6BD75025
                                                                          • DragFinish.SHELL32(?), ref: 6BD7505A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Drag$FileQuery$ActiveFinishWindow
                                                                          • String ID:
                                                                          • API String ID: 892977027-0
                                                                          • Opcode ID: 77a2cbd3fd1c146ebe52d20b7eb0d8cab69e7248b311cd8d5978913175d1a081
                                                                          • Instruction ID: eb36b9eacbf1e1d75fa52acbd892baa10114ade5046f4afdc5c08b7f2f68d07a
                                                                          • Opcode Fuzzy Hash: 77a2cbd3fd1c146ebe52d20b7eb0d8cab69e7248b311cd8d5978913175d1a081
                                                                          • Instruction Fuzzy Hash: 2B1151755102189BCB20EB35CC8DEDE7BB8FB89314F0105A9E91A9B251CB34DE44CFA0
                                                                          Function 6BD66B08 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgCtrlID.USER32(?), ref: 6BD66B18
                                                                          • GetScrollPos.USER32(?,00000002), ref: 6BD66B2B
                                                                          • SendMessageW.USER32(?,00000115,?,?), ref: 6BD66B65
                                                                          • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6BD66B83
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Scroll$CtrlMessageSend
                                                                          • String ID:
                                                                          • API String ID: 1219558039-0
                                                                          • Opcode ID: deb5facbab0282816d782bdb713a13b9271c1e5b5b5b8492b5c4dbb416d0eb05
                                                                          • Instruction ID: a19504d21f0d84554e831117acad09904d8c693677d5dc111218148bf5f3f77a
                                                                          • Opcode Fuzzy Hash: deb5facbab0282816d782bdb713a13b9271c1e5b5b5b8492b5c4dbb416d0eb05
                                                                          • Instruction Fuzzy Hash: 8C117C32610214EFDB118FA9CC4AFAE7B75FB49390F014969F9459F161E7709C50DB60
                                                                          Function 6BD66A77 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgCtrlID.USER32(?), ref: 6BD66A87
                                                                          • GetScrollPos.USER32(?,00000002), ref: 6BD66A9A
                                                                          • SendMessageW.USER32(?,00000114,?,?), ref: 6BD66AD4
                                                                          • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6BD66AF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Scroll$CtrlMessageSend
                                                                          • String ID:
                                                                          • API String ID: 1219558039-0
                                                                          • Opcode ID: 74a25b0b729324eb89774bcb64f5f0267d6a67cac7d1f2b0bb3659089d0b94c2
                                                                          • Instruction ID: cd5f46480953fd7b59d3dc67e44348d883f51e4d97ca0b833ce73443a5664327
                                                                          • Opcode Fuzzy Hash: 74a25b0b729324eb89774bcb64f5f0267d6a67cac7d1f2b0bb3659089d0b94c2
                                                                          • Instruction Fuzzy Hash: 48118E72610214EFEB018FA9CC4AEAE7B75FB49394F014879F9459F161E6709C10DB60
                                                                          Function 03AEF338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                          • Instruction ID: e996fe5da7acbaca6c68c436a6ae1e27ee909d9edd50b13c8da524c3ea83a4b0
                                                                          • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                          • Instruction Fuzzy Hash: A7113D3600414ABFCF169F84CC55CEE3F26FF18254B5A8916FE2859130D636C9B1AB81
                                                                          Function 6BD93F50 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InflateRect.USER32(?,00000002,00000002), ref: 6BD93F8F
                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 6BD93FA3
                                                                          • UpdateWindow.USER32(?), ref: 6BD93FAC
                                                                          • SetRectEmpty.USER32(?), ref: 6BD93FB3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$EmptyInflateInvalidateUpdateWindow
                                                                          • String ID:
                                                                          • API String ID: 3040190709-0
                                                                          • Opcode ID: 9d6305fa786e02f398d70b7e2e986c92722f6c9ac686da3a40e86400e17a632f
                                                                          • Instruction ID: 13dd777c253c269f3c9098756b781dae1d04540246f0bbcbd170f0e0b1ba9dc0
                                                                          • Opcode Fuzzy Hash: 9d6305fa786e02f398d70b7e2e986c92722f6c9ac686da3a40e86400e17a632f
                                                                          • Instruction Fuzzy Hash: 8B019631510209DFDB10DF68C84AF9B7BF5FB4A320F510679E556EB1A0D7709948CB90
                                                                          Function 6BDB0DEB Relevance: 6.0, APIs: 4, Instructions: 47keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 6BDB0E05
                                                                          • GetKeyboardLayout.USER32(?), ref: 6BDB0E2B
                                                                          • MapVirtualKeyW.USER32(00000000,00000000), ref: 6BDB0E38
                                                                          • ToUnicodeEx.USER32(00000000,00000000,?,?,00000002,00000000,00000000), ref: 6BDB0E55
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Keyboard$LayoutStateUnicodeVirtual
                                                                          • String ID:
                                                                          • API String ID: 961187839-0
                                                                          • Opcode ID: 943d6066b2cf9a521de9db7d09ff6318dd895327c22ff6e7f0d755f8faf93079
                                                                          • Instruction ID: 1b52a1c8248f1e6fc8ac7e9286991781332e4eb251bb238f13839a8cae27a317
                                                                          • Opcode Fuzzy Hash: 943d6066b2cf9a521de9db7d09ff6318dd895327c22ff6e7f0d755f8faf93079
                                                                          • Instruction Fuzzy Hash: 4001B571A10104ABDB24AF70CC0AFDE7768EF05310F410475F646EE090DBB4DA84CB94
                                                                          Function 6BD61E40 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6BD61E60
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6BD61E6F
                                                                          • IsWindow.USER32(00000000), ref: 6BD61E80
                                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 6BD61E90
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID:
                                                                          • API String ID: 847901565-0
                                                                          • Opcode ID: 3a5a34dfa035f00a113cff35a5b206d4d69dec999075ce7c1f0556ead910f9ae
                                                                          • Instruction ID: aad0b6eed167f5876ee1d5db3735ec786cb1436a41f38afe1df0d15f3d86f331
                                                                          • Opcode Fuzzy Hash: 3a5a34dfa035f00a113cff35a5b206d4d69dec999075ce7c1f0556ead910f9ae
                                                                          • Instruction Fuzzy Hash: A301D632614124AFDF005B788C49B7F3678EB86774F110768F822DA2D1EF78D8019754
                                                                          Function 6BD6E96E Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTopWindow.USER32(?), ref: 6BD6E975
                                                                          • GetTopWindow.USER32(00000000), ref: 6BD6E9B8
                                                                          • GetWindow.USER32(00000000,00000002), ref: 6BD6E9DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID:
                                                                          • API String ID: 2353593579-0
                                                                          • Opcode ID: 5046320d88c789fe984120444a841c349a5c27a9a9837dda2f99d549994af013
                                                                          • Instruction ID: f21876b6f760ad90025ca401c0527534aef031df002ce9f6338252e0b65e69ed
                                                                          • Opcode Fuzzy Hash: 5046320d88c789fe984120444a841c349a5c27a9a9837dda2f99d549994af013
                                                                          • Instruction Fuzzy Hash: 9E01C832010629FBDF425FA1CD05EDF3B26AF0A3A1F408452FA54590A0E73AC665EFA5
                                                                          Function 6BD6E8F7 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 6BD6E901
                                                                          • GetTopWindow.USER32(00000000), ref: 6BD6E90E
                                                                            • Part of subcall function 6BD6E8F7: GetWindow.USER32(00000000,00000002), ref: 6BD6E95D
                                                                          • GetTopWindow.USER32(?), ref: 6BD6E942
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Item
                                                                          • String ID:
                                                                          • API String ID: 369458955-0
                                                                          • Opcode ID: a998499a30f927c53c8445cad0b295e37ad5b59a044a5ffdd17f56afc016fa2e
                                                                          • Instruction ID: 5f59697486792cbb079f393ac3cd1ee09b1056df847f662fb756afdd7d583f83
                                                                          • Opcode Fuzzy Hash: a998499a30f927c53c8445cad0b295e37ad5b59a044a5ffdd17f56afc016fa2e
                                                                          • Instruction Fuzzy Hash: 76016D314A1625EBEF525F60CC09B8E3B69AF067F4F008562FD04AD010F739C611AAE1
                                                                          Function 03AE6EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 03AE6F08
                                                                            • Part of subcall function 03AE6E5A: __FF_MSGBANNER.LIBCMT ref: 03AE6E73
                                                                            • Part of subcall function 03AE6E5A: __NMSG_WRITE.LIBCMT ref: 03AE6E7A
                                                                            • Part of subcall function 03AE6E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 03AE6E9F
                                                                          • std::exception::exception.LIBCMT ref: 03AE6F3D
                                                                          • std::exception::exception.LIBCMT ref: 03AE6F57
                                                                          • __CxxThrowException@8.LIBCMT ref: 03AE6F68
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                          • String ID:
                                                                          • API String ID: 615853336-0
                                                                          • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                          • Instruction ID: a2422a2c7a3ceaa774c1b059bbb36d131ae7e3587ddf6c660e00b1a2a85fb8a6
                                                                          • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                          • Instruction Fuzzy Hash: 9CF02835404359A7DB00EBA4CD84AAD7BF9EB51714F18081BD424AE1F1DFB1CAC08750
                                                                          Function 6BD7BACE Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 6BD7BADC
                                                                          • GetParent.USER32(?), ref: 6BD7BAEF
                                                                          • GetParent.USER32(?), ref: 6BD7BB09
                                                                          • SetFocus.USER32(?,00000000,?,?,6BD74C3F,?,6BD31906), ref: 6BD7BB22
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Parent$Focus
                                                                          • String ID:
                                                                          • API String ID: 384096180-0
                                                                          • Opcode ID: 9d89bb27fa8f2f7f1a816793bfee272b156e083192b7041a4874b67305d842c4
                                                                          • Instruction ID: 06b1b306a049200e9dcd60c973873a82f0c6a7f4cc8d64ffca0f4b5b5129b414
                                                                          • Opcode Fuzzy Hash: 9d89bb27fa8f2f7f1a816793bfee272b156e083192b7041a4874b67305d842c4
                                                                          • Instruction Fuzzy Hash: 69F0D132A20610CBCE107B74C91DA5A7BA9BF84261B010878E982DB274FF3CE801CB20
                                                                          Function 6BECA209 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6BEC91F0,00000000,00000001,00000000,?,?,6BEC1D26,?,00000000,00000000), ref: 6BECA220
                                                                          • GetLastError.KERNEL32(?,6BEC91F0,00000000,00000001,00000000,?,?,6BEC1D26,?,00000000,00000000,?,?,?,6BEC166C,00000000), ref: 6BECA22C
                                                                            • Part of subcall function 6BECA27D: CloseHandle.KERNEL32(FFFFFFFE,6BECA23C,?,6BEC91F0,00000000,00000001,00000000,?,?,6BEC1D26,?,00000000,00000000,?,?), ref: 6BECA28D
                                                                          • ___initconout.LIBCMT ref: 6BECA23C
                                                                            • Part of subcall function 6BECA25E: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BECA1FA,6BEC91DD,?,?,6BEC1D26,?,00000000,00000000,?), ref: 6BECA271
                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6BEC91F0,00000000,00000001,00000000,?,?,6BEC1D26,?,00000000,00000000,?), ref: 6BECA251
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                          • String ID:
                                                                          • API String ID: 2744216297-0
                                                                          • Opcode ID: 18b2d88eb42654bc49b612ee5a417a2152f8c2d40bfb53e7a31ddd5764c6722c
                                                                          • Instruction ID: 0e86dde6bc03e6ebb27173992893b1eec434bcba4379437f1729fcc35b978424
                                                                          • Opcode Fuzzy Hash: 18b2d88eb42654bc49b612ee5a417a2152f8c2d40bfb53e7a31ddd5764c6722c
                                                                          • Instruction Fuzzy Hash: B9F01236450124BBCF122FD1CC05A8A3F26FF463A4F555430FE2989120D733C820ABD1
                                                                          Function 6BEBFABD Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekConsoleInputA.KERNEL32(?,?,6BF2F740,00000000,?,6BEB144A,00000000,0000000C,6BF2F740,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFAD2
                                                                          • GetLastError.KERNEL32(?,6BEB144A,00000000,0000000C,6BF2F740,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFADE
                                                                            • Part of subcall function 6BEBFBBA: CloseHandle.KERNEL32(FFFFFFFF,6BEBFAA2,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBCA
                                                                          • ___initconin.LIBCMT ref: 6BEBFAEE
                                                                            • Part of subcall function 6BEBFB9B: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6BEBFA16,6BEB13CF,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBAE
                                                                          • PeekConsoleInputA.KERNEL32(?,?,6BF2F740,?,6BEB144A,00000000,0000000C,6BF2F740,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFB02
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
                                                                          • String ID:
                                                                          • API String ID: 1545762386-0
                                                                          • Opcode ID: 774e83bbf979a12fdaf5455c91474fded829e58866ad73fa5bc99c8419d7725d
                                                                          • Instruction ID: 5961a5f4bb8c38846db4d03918e7125b28fe72702dae674d58235a0ee9293209
                                                                          • Opcode Fuzzy Hash: 774e83bbf979a12fdaf5455c91474fded829e58866ad73fa5bc99c8419d7725d
                                                                          • Instruction Fuzzy Hash: 57F06D3A410219BB8F222FE1CC959897F66FB093A0B558964FE0895630C736CA20EBD0
                                                                          Function 6BEBFA25 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadConsoleInputW.KERNEL32(0000000C,6BF2F760,6BEB1148,00000000,?,6BEB11CC,?,00000001,?,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFA3A
                                                                          • GetLastError.KERNEL32(?,6BEB11CC,?,00000001,?,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFA46
                                                                            • Part of subcall function 6BEBFBBA: CloseHandle.KERNEL32(FFFFFFFF,6BEBFAA2,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBCA
                                                                          • ___initconin.LIBCMT ref: 6BEBFA56
                                                                            • Part of subcall function 6BEBFB9B: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6BEBFA16,6BEB13CF,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBAE
                                                                          • ReadConsoleInputW.KERNEL32(0000000C,6BF2F760,6BEB1148,?,6BEB11CC,?,00000001,?,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFA6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
                                                                          • String ID:
                                                                          • API String ID: 838051604-0
                                                                          • Opcode ID: ac90a8af5cc2ec599c865090fc8f6988e8268bdf23d5eaf7b3a380b97dee1f3f
                                                                          • Instruction ID: c5d76d6dfa725927af95195fda2aee53caffbcd5797127329b14c94965785613
                                                                          • Opcode Fuzzy Hash: ac90a8af5cc2ec599c865090fc8f6988e8268bdf23d5eaf7b3a380b97dee1f3f
                                                                          • Instruction Fuzzy Hash: C2F06D3A810118BB8F122FE1CD55D993F66FB493E0B554568FE0895630D736CA20ABE1
                                                                          Function 6BE999F1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7BA35: ShowWindow.USER32(?,00000000,?,?,6BD7921A,00000000), ref: 6BD7BA46
                                                                          • UpdateWindow.USER32(?), ref: 6BE99A18
                                                                          • UpdateWindow.USER32(?), ref: 6BE99A2B
                                                                          • SetRectEmpty.USER32(?), ref: 6BE99A38
                                                                          • SetRectEmpty.USER32(?), ref: 6BE99A45
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EmptyRectUpdate$Show
                                                                          • String ID:
                                                                          • API String ID: 1262231214-0
                                                                          • Opcode ID: d190d8b21b77facac5da63812002873fdcf8355db48ebfd5ab6acf0b334d6394
                                                                          • Instruction ID: 33c590a544efd45c70be4c3ca970a609b41a7f43742ce0a8803f416ee0363c8b
                                                                          • Opcode Fuzzy Hash: d190d8b21b77facac5da63812002873fdcf8355db48ebfd5ab6acf0b334d6394
                                                                          • Instruction Fuzzy Hash: 12F0F8312206158FEB20AF70D909BC67BE8BB05305F128869E4AACA161CB74E848CF10
                                                                          Function 6BEBFB55 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetConsoleMode.KERNEL32(0000000C,00000000,?,6BEB11B3,00000000,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB64
                                                                          • GetLastError.KERNEL32(?,6BEB11B3,00000000,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB70
                                                                            • Part of subcall function 6BEBFBBA: CloseHandle.KERNEL32(FFFFFFFF,6BEBFAA2,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBCA
                                                                          • ___initconin.LIBCMT ref: 6BEBFB80
                                                                            • Part of subcall function 6BEBFB9B: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6BEBFA16,6BEB13CF,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBAE
                                                                          • SetConsoleMode.KERNEL32(0000000C,?,6BEB11B3,00000000,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB8E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                                          • String ID:
                                                                          • API String ID: 3067319862-0
                                                                          • Opcode ID: 6ad8290c9f886e197c7146432e625e224af9097b6e7feed1efc1130d5c7c1c2f
                                                                          • Instruction ID: a4f27b85fccaa56573e0a4b892c9900cf81b11ac8131617a54e96222d6978937
                                                                          • Opcode Fuzzy Hash: 6ad8290c9f886e197c7146432e625e224af9097b6e7feed1efc1130d5c7c1c2f
                                                                          • Instruction Fuzzy Hash: 65E04F3A8211246B8F222BA5CC999493F26FB463E57955564F90996220CB3ACD1497D0
                                                                          Function 6BEBFB0F Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetConsoleMode.KERNEL32(0000000C,?,?,6BEB11AB,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB1E
                                                                          • GetLastError.KERNEL32(?,?,6BEB11AB,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB2A
                                                                            • Part of subcall function 6BEBFBBA: CloseHandle.KERNEL32(FFFFFFFF,6BEBFAA2,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBCA
                                                                          • ___initconin.LIBCMT ref: 6BEBFB3A
                                                                            • Part of subcall function 6BEBFB9B: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6BEBFA16,6BEB13CF,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBAE
                                                                          • GetConsoleMode.KERNEL32(0000000C,?,?,6BEB11AB,6BD34C92,6BF2F780,00000038,6BEB1148,6BF2F760,0000000C,6BD34C92), ref: 6BEBFB48
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                                          • String ID:
                                                                          • API String ID: 3067319862-0
                                                                          • Opcode ID: 278d96d637ff12a369bd2d6458826a2da6b8e6ee5b764f59c72fa353a9d7604d
                                                                          • Instruction ID: 431b4a38fa90b3f778c7c62458c12f66260ea57dd86a0cfae02cf8cbb622e7f0
                                                                          • Opcode Fuzzy Hash: 278d96d637ff12a369bd2d6458826a2da6b8e6ee5b764f59c72fa353a9d7604d
                                                                          • Instruction Fuzzy Hash: 22E0863A8201256B8F222BA5CDB99493F26FB5A3F5B550564F90DD6330CB3ACD14A7E0
                                                                          Function 6BEBFA77 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetNumberOfConsoleInputEvents.KERNEL32(?,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFA86
                                                                          • GetLastError.KERNEL32(?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFA92
                                                                            • Part of subcall function 6BEBFBBA: CloseHandle.KERNEL32(FFFFFFFF,6BEBFAA2,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBCA
                                                                          • ___initconin.LIBCMT ref: 6BEBFAA2
                                                                            • Part of subcall function 6BEBFB9B: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6BEBFA16,6BEB13CF,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFBAE
                                                                          • GetNumberOfConsoleInputEvents.KERNEL32(?,?,?,6BEB13E0,0000000C,?,?,?,6BEB10F8,6BF2F740,0000000C,6BD34C7E), ref: 6BEBFAB0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
                                                                          • String ID:
                                                                          • API String ID: 1600138625-0
                                                                          • Opcode ID: 8723a73829d54c35e1dc97a811f53c442aad28bfbfde1316b8d917acc9830ba3
                                                                          • Instruction ID: 04dd54b7e89a0516e077599d2ec3c28a77f2758c76c8b6cc8bf80c28571ba203
                                                                          • Opcode Fuzzy Hash: 8723a73829d54c35e1dc97a811f53c442aad28bfbfde1316b8d917acc9830ba3
                                                                          • Instruction Fuzzy Hash: 61E0203B410120AB8F112BA9CC455887F26EB453E07514161FC08D5330C739CC1097D0
                                                                          Function 6BD7C893 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __aulldiv
                                                                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                          • API String ID: 3732870572-1956417402
                                                                          • Opcode ID: 88a75979d73f4988d76c7b5387174f2d7f9ee10e83f09910bf5fad0cfa8d9a6b
                                                                          • Instruction ID: 0e4766c1edf3ba098570ca3fb3d7177011878969d38da605643455f4bd1c4e3b
                                                                          • Opcode Fuzzy Hash: 88a75979d73f4988d76c7b5387174f2d7f9ee10e83f09910bf5fad0cfa8d9a6b
                                                                          • Instruction Fuzzy Hash: 0361D470E44259DFDB25EFB984817EEBBF5AF49321F1840B9E890AF240D73C85418B64
                                                                          Function 6BEC4CD9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,6BEB9B18,?,?,?,00000055,?,-00000050,?,?,?), ref: 6BEC4D98
                                                                          • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,6BEB9B18,?,?,?,00000055,?,-00000050,?,?), ref: 6BEC4DCF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CodePageValid
                                                                          • String ID: utf8
                                                                          • API String ID: 1911128615-905460609
                                                                          • Opcode ID: 84520199607d3e42b37272ef38b4054be1f74d3ad128173082272ba419dfa579
                                                                          • Instruction ID: 5f1d2fa914dfde6a730c8a02d95567c3569926dd91db027c1418bf48f36a7446
                                                                          • Opcode Fuzzy Hash: 84520199607d3e42b37272ef38b4054be1f74d3ad128173082272ba419dfa579
                                                                          • Instruction Fuzzy Hash: 87511B31A00711AAF715AF74CE82FA777B8EF05748F31045BE9359B280EB78E6508663
                                                                          Function 6BD88120 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3_GS.LIBCMT ref: 6BD88127
                                                                          • CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 6BD88182
                                                                          Strings
                                                                          • %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 6BD881CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CreateGuidH_prolog3_
                                                                          • String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
                                                                          • API String ID: 2971167768-1017209998
                                                                          • Opcode ID: 75baf038a29516173e56a0bc2c7ad915fb7e0ee1c7cb0ab00c6730c8b1b23885
                                                                          • Instruction ID: f5894fb2165b8a90d6ea430418e511875f551cf72528fbe6999b55d9d7535228
                                                                          • Opcode Fuzzy Hash: 75baf038a29516173e56a0bc2c7ad915fb7e0ee1c7cb0ab00c6730c8b1b23885
                                                                          • Instruction Fuzzy Hash: 70418C72900159AFCF11DFB8C861AFEBBB9AF09224F140459E551BB281DB3D9E04CB70
                                                                          Function 6BDDDE20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog3.LIBCMT ref: 6BDDDE27
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000008,6BD90217,?,MFCToolBars,?,000000A8), ref: 6BDDDF72
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: H_prolog3QueryValue
                                                                          • String ID: SOFTWARE\
                                                                          • API String ID: 2373586757-3302998844
                                                                          • Opcode ID: 57493a08353376364a25cbb47afa25f9789892c60ca3b4cfde437472df1a8366
                                                                          • Instruction ID: 9b6a197d8a00c8ccd33a423f7366b29a1983b8c205af8afacaf0b0ee90847a9b
                                                                          • Opcode Fuzzy Hash: 57493a08353376364a25cbb47afa25f9789892c60ca3b4cfde437472df1a8366
                                                                          • Instruction Fuzzy Hash: 3131BC72201241EBDF04AF70CC82E7E776AEF44228F108059F821AE2A1DB7D9E40DB71
                                                                          Function 6BEB8A13 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6BEB8914,?,?,00000000,00000000,00000000,?), ref: 6BEB8A38
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 2118026453-2084237596
                                                                          • Opcode ID: 327558bd180f5fa5b338550da773ba1d19371501ab7f338abe238826f98fcc2f
                                                                          • Instruction ID: c15d6691a0fa13b9003cd883a8923e06db1e8ec40fd4ffc4db07f54378366391
                                                                          • Opcode Fuzzy Hash: 327558bd180f5fa5b338550da773ba1d19371501ab7f338abe238826f98fcc2f
                                                                          • Instruction Fuzzy Hash: A7415A7590010AAFCF05CFA4CE81EEE7BB5FF48308F248199E918A6324D339D961DB51
                                                                          Function 6BD69A74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6BD69B38
                                                                          • PathFindExtensionW.SHLWAPI(?,?), ref: 6BD69B4E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ExtensionFileFindModuleNamePath
                                                                          • String ID: %Ts%Ts.dll
                                                                          • API String ID: 2295281026-1896370695
                                                                          • Opcode ID: 46bd540575dda368e296d4ca441bf06b0f1489faf2dbdd6c85b0861fc07e30cb
                                                                          • Instruction ID: c6c6578ee87edf8fd67ecdbae5c843c0b5f9e884071ac187b7add6ced6717c86
                                                                          • Opcode Fuzzy Hash: 46bd540575dda368e296d4ca441bf06b0f1489faf2dbdd6c85b0861fc07e30cb
                                                                          • Instruction Fuzzy Hash: E2310731600119ABCB10EF78C8C4AAFB7A9EF49760F0141A6E815DF241EB7CE905D7E0
                                                                          Function 6BEB827F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6BEB84F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: ___except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3493665558-3733052814
                                                                          • Opcode ID: f45a5ff57691a2761e03bad7cfc7cbd5c941e33c8407692d80361975446bef41
                                                                          • Instruction ID: dcce9eed267dbee9e8019a741328d1d74d06f29b8156fcccb865ffe4861bacdc
                                                                          • Opcode Fuzzy Hash: f45a5ff57691a2761e03bad7cfc7cbd5c941e33c8407692d80361975446bef41
                                                                          • Instruction Fuzzy Hash: 8231A47290161ADBCF128F50DE40D9A7B65FF0975DB24429AF85449311E33AD8B2DF82
                                                                          Function 6BD7A6F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6BD7A899: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6BD7A2C8,?,00000000), ref: 6BD7A8DE
                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6BD7A728
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 6BD7A731
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: Close$Value
                                                                          • String ID: A
                                                                          • API String ID: 299128501-3554254475
                                                                          • Opcode ID: 1a66d41a80b09a30bfde56e5a22ed0feabe096d9f406b08d286c72ba052a31ab
                                                                          • Instruction ID: 22eeaa56f63d6074e22959ae9e65177e8e4f5db9be809ba15c3391014ed7b933
                                                                          • Opcode Fuzzy Hash: 1a66d41a80b09a30bfde56e5a22ed0feabe096d9f406b08d286c72ba052a31ab
                                                                          • Instruction Fuzzy Hash: 66210376500225BBCB259F68D845AEE7BB9EF49770F10406AF814DF250EB39CD42D760
                                                                          Function 6BD7EF42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000014), ref: 6BD7EFB0
                                                                          • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6BD7F029
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: BitmapColorCreate
                                                                          • String ID: (
                                                                          • API String ID: 2048008349-3887548279
                                                                          • Opcode ID: b7b8a0e6fb0de8e0dfc1eedc8ffae6341b2abc9f67e5173ba4f2ef181629c288
                                                                          • Instruction ID: 648c934836508ff392107db310edac89e7ae3ab1516c2f6955783de9306a43a8
                                                                          • Opcode Fuzzy Hash: b7b8a0e6fb0de8e0dfc1eedc8ffae6341b2abc9f67e5173ba4f2ef181629c288
                                                                          • Instruction Fuzzy Hash: D721953091128CDBEB11CFB889427DCB7B4BF19205F508569E945FB142EF349A49DB64
                                                                          Function 6BD8DBF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: EmptyH_prolog3_Rect
                                                                          • String ID: Afx:ToolBar
                                                                          • API String ID: 2941628838-177727192
                                                                          • Opcode ID: 41393e131bec694e8d2cb181eb341ddc7fa6878a0aa8e8a785eff83c50ce7b47
                                                                          • Instruction ID: 51fedb8e9ffdfba3035ed3eb6a7a2908035fdf84dae18fd95b6a0abe371a186f
                                                                          • Opcode Fuzzy Hash: 41393e131bec694e8d2cb181eb341ddc7fa6878a0aa8e8a785eff83c50ce7b47
                                                                          • Instruction Fuzzy Hash: FF219571A105189BCF08DF78C996AED7BA1EF08364F05062DF815EB290DB789D508B74
                                                                          Function 03AE6FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __output_l.LIBCMT ref: 03AE6FFC
                                                                            • Part of subcall function 03AE70E4: __getptd_noexit.LIBCMT ref: 03AE70E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexit__output_l
                                                                          • String ID: B
                                                                          • API String ID: 2141734944-1255198513
                                                                          • Opcode ID: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                          • Instruction ID: 978dcb6c72b3b4155bbb1d5fda2d00f01646e0f96d426fccf94115755732c798
                                                                          • Opcode Fuzzy Hash: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                          • Instruction Fuzzy Hash: B101697290424D9FDF10DFA4DC01BEEBBF9FB04364F04416AE924AA280E779D901CBA5
                                                                          Function 03AF3414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CallFrame@12Setting__getptd
                                                                          • String ID: j
                                                                          • API String ID: 3454690891-2137352139
                                                                          • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                          • Instruction ID: c422ca9a3ae2c8b417f45026d73277955667e7feff7644374c40371e98aefa28
                                                                          • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                          • Instruction Fuzzy Hash: 8711A179800654DFCF12DF98C5443ACFB70BF00326F18808AE9552B6C2C374A991CB91
                                                                          Function 03AF37A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __getptd.LIBCMT ref: 03AF37AF
                                                                            • Part of subcall function 03AE98E6: __getptd_noexit.LIBCMT ref: 03AE98E9
                                                                            • Part of subcall function 03AE98E6: __amsg_exit.LIBCMT ref: 03AE98F6
                                                                          • __getptd.LIBCMT ref: 03AF37BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3542251241.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_3ae0000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                          • String ID: csm
                                                                          • API String ID: 803148776-1018135373
                                                                          • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                          • Instruction ID: ccface652558360287afafe01769975fb688ea939589507aa6fe3d6d0ab3a626
                                                                          • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                          • Instruction Fuzzy Hash: 3B014B3C800305CECF38EFA1C5446ADB3B9AF04211F6888AFF6405A2E0DB398580DBD1
                                                                          Function 6BD84D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseThemeData.UXTHEME(?,6BEDDE20), ref: 6BD84DC6
                                                                          • OpenThemeData.UXTHEME(?,REBAR,6BEDDE20), ref: 6BD84DD4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: DataTheme$CloseOpen
                                                                          • String ID: REBAR
                                                                          • API String ID: 1809247333-925029515
                                                                          • Opcode ID: 640be2bc81f3f0f905cca449f6ecfc9b37b687d129dfa1e8b0d74d57df37ffff
                                                                          • Instruction ID: 048d1379c0bd72b0790a03374bd2ff0a0c101e3bb552981c3635a70abfa97856
                                                                          • Opcode Fuzzy Hash: 640be2bc81f3f0f905cca449f6ecfc9b37b687d129dfa1e8b0d74d57df37ffff
                                                                          • Instruction Fuzzy Hash: D6E08035650350ABEB206B349D04B473BBF5F115657010869EC5DDA114DF3CC401DBA0
                                                                          Function 6BD82F60 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(6BF38410,?,?,0000007C,?,6BD6F318,00000001), ref: 6BD82F91
                                                                          • InitializeCriticalSection.KERNEL32(00000000,?,6BD6F318,00000001), ref: 6BD82FA7
                                                                          • LeaveCriticalSection.KERNEL32(6BF38410,?,6BD6F318,00000001), ref: 6BD82FB5
                                                                          • EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6BD6F318,00000001), ref: 6BD82FC2
                                                                            • Part of subcall function 6BD82FF8: InitializeCriticalSection.KERNEL32(6BF38410,?,0000007C,?,6BD6F318,00000001), ref: 6BD83010
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3543194188.000000006BD31000.00000020.00000001.01000000.00000006.sdmp, Offset: 6BD30000, based on PE: true
                                                                          • Associated: 00000003.00000002.3543177730.000000006BD30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543297299.000000006BEDA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543333378.000000006BF30000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543351144.000000006BF33000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF35000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543367970.000000006BF37000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3543402028.000000006BF3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_6bd30000_Update.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterInitialize$Leave
                                                                          • String ID:
                                                                          • API String ID: 713024617-0
                                                                          • Opcode ID: bf5251fc769bf938537ffe31f00197a6bee860018c6d91253cc378c12e81675d
                                                                          • Instruction ID: f919f989bf5135b25712c82355188e5272151cf048f94b7e083214a2fe77d34a
                                                                          • Opcode Fuzzy Hash: bf5251fc769bf938537ffe31f00197a6bee860018c6d91253cc378c12e81675d
                                                                          • Instruction Fuzzy Hash: 0DF0C2B2815214ABCE502B59CC89B9D7B6DEB4337AF811425F501DA421C73DC805CAF1