Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CdbVaYf8jC.exe

Overview

General Information

Sample name:CdbVaYf8jC.exe
renamed because original name is a hash value
Original sample name:0c8117599f256ad39f13b4ed9b5271174c073e94047ed3acf8ef809d2812ae9a.exe
Analysis ID:1587597
MD5:be84cfd73eda412a79eb13ffa896a702
SHA1:992ccd119d7b8d6dc9771d708aa809414496e2ff
SHA256:0c8117599f256ad39f13b4ed9b5271174c073e94047ed3acf8ef809d2812ae9a
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CdbVaYf8jC.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\CdbVaYf8jC.exe" MD5: BE84CFD73EDA412A79EB13FFA896A702)
    • deblaterate.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\CdbVaYf8jC.exe" MD5: BE84CFD73EDA412A79EB13FFA896A702)
      • RegSvcs.exe (PID: 1780 cmdline: "C:\Users\user\Desktop\CdbVaYf8jC.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4408 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • deblaterate.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" MD5: BE84CFD73EDA412A79EB13FFA896A702)
      • RegSvcs.exe (PID: 2208 cmdline: "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.2943524952.000000000289E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  5.2.deblaterate.exe.4350000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 4408, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1780, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 4408, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe, ProcessId: 6176, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: CdbVaYf8jC.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeAvira: detection malicious, Label: TR/AD.GenSteal.nhplk
                    Found malware configuration
                    Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeReversingLabs: Detection: 83%
                    Multi AV Scanner detection for submitted file
                    Source: CdbVaYf8jC.exeVirustotal: Detection: 73%Perma Link
                    Source: CdbVaYf8jC.exeReversingLabs: Detection: 83%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: CdbVaYf8jC.exeJoe Sandbox ML: detected
                    Source: CdbVaYf8jC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000001.00000003.1759681137.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000001.00000003.1761394537.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1919008759.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1915731459.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000001.00000003.1759681137.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000001.00000003.1761394537.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1919008759.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1915731459.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.230.214.164:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 185.230.214.164 185.230.214.164
                    Source: Joe Sandbox ViewASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.230.214.164:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                    Source: RegSvcs.exe, 00000002.00000002.1921920979.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: deblaterate.exe, 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: RegSvcs.exe, 00000002.00000002.1921920979.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: deblaterate.exe, 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00459FFF
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00459FFF
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0047C08E
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C08E

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.deblaterate.exe.4350000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.deblaterate.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00409A400_2_00409A40
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004120380_2_00412038
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0047E1FA0_2_0047E1FA
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0041A46B0_2_0041A46B
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0041240C0_2_0041240C
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004045E00_2_004045E0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004128180_2_00412818
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0047CBF00_2_0047CBF0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044EBBC0_2_0044EBBC
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00412C380_2_00412C38
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044ED9A0_2_0044ED9A
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00424F700_2_00424F70
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0041AF0D0_2_0041AF0D
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004271610_2_00427161
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004212BE0_2_004212BE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004433900_2_00443390
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004433910_2_00443391
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0041D7500_2_0041D750
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004037E00_2_004037E0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004278590_2_00427859
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040F8900_2_0040F890
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0042397B0_2_0042397B
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00411B630_2_00411B63
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00423EBF0_2_00423EBF
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_040E36980_2_040E3698
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00409A401_2_00409A40
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004120381_2_00412038
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0047E1FA1_2_0047E1FA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0041A46B1_2_0041A46B
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0041240C1_2_0041240C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004045E01_2_004045E0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004128181_2_00412818
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0047CBF01_2_0047CBF0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044EBBC1_2_0044EBBC
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00412C381_2_00412C38
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044ED9A1_2_0044ED9A
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00424F701_2_00424F70
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0041AF0D1_2_0041AF0D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004271611_2_00427161
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004212BE1_2_004212BE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004433901_2_00443390
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004433911_2_00443391
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0041D7501_2_0041D750
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004037E01_2_004037E0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004278591_2_00427859
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0040F8901_2_0040F890
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0042397B1_2_0042397B
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00411B631_2_00411B63
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00423EBF1_2_00423EBF
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_03FF36981_2_03FF3698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014B4AC02_2_014B4AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014BAD172_2_014BAD17
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014B3EA82_2_014B3EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014B41F02_2_014B41F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06697E502_2_06697E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066966C02_2_066966C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066952582_2_06695258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0669C2502_2_0669C250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0669B3A12_2_0669B3A1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066931202_2_06693120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066977702_2_06697770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0669E4702_2_0669E470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066924212_2_06692421
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066900402_2_06690040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066900062_2_06690006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_066959AB2_2_066959AB
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00409A405_2_00409A40
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004120385_2_00412038
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0047E1FA5_2_0047E1FA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0041A46B5_2_0041A46B
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0041240C5_2_0041240C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004045E05_2_004045E0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004128185_2_00412818
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0047CBF05_2_0047CBF0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044EBBC5_2_0044EBBC
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00412C385_2_00412C38
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044ED9A5_2_0044ED9A
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00424F705_2_00424F70
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0041AF0D5_2_0041AF0D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004271615_2_00427161
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004212BE5_2_004212BE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004433905_2_00443390
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004433915_2_00443391
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0041D7505_2_0041D750
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004037E05_2_004037E0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004278595_2_00427859
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0040F8905_2_0040F890
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0042397B5_2_0042397B
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00411B635_2_00411B63
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00423EBF5_2_00423EBF
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_03D952E05_2_03D952E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D741F08_2_00D741F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D7A5688_2_00D7A568
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D74AC08_2_00D74AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D7AD288_2_00D7AD28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D73EA88_2_00D73EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D7EE208_2_00D7EE20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_061F24498_2_061F2449
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_061FE0888_2_061FE088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062066C08_2_062066C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0620C2508_2_0620C250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062052588_2_06205258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0620B3008_2_0620B300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06207E508_2_06207E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06202BA88_2_06202BA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062077708_2_06207770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0620E4708_2_0620E470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062000408_2_06200040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062059C08_2_062059C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_062000148_2_06200014
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: String function: 00445975 appears 65 times
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: String function: 0041171A appears 37 times
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: String function: 0041718C appears 44 times
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: String function: 0040E6D0 appears 35 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 00425210 appears 56 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 00445975 appears 130 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 0041171A appears 74 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 0041832D appears 52 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 004136BC appears 36 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 004092C0 appears 50 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 0041718C appears 88 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 00401B70 appears 46 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 0040E6D0 appears 70 times
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: String function: 0043362D appears 38 times
                    Source: CdbVaYf8jC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.deblaterate.exe.4350000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.deblaterate.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,1_2_00464422
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464422
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeFile created: C:\Users\user\AppData\Local\SancerreJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeFile created: C:\Users\user\AppData\Local\Temp\lecheriesJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                    Source: CdbVaYf8jC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: CdbVaYf8jC.exeVirustotal: Detection: 73%
                    Source: CdbVaYf8jC.exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeFile read: C:\Users\user\Desktop\CdbVaYf8jC.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\CdbVaYf8jC.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeProcess created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe"
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe"
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeProcess created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: CdbVaYf8jC.exeStatic file information: File size 1109981 > 1048576
                    Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000001.00000003.1759681137.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000001.00000003.1761394537.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1919008759.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1915731459.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000001.00000003.1759681137.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000001.00000003.1761394537.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1919008759.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.1915731459.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                    Source: deblaterate.exe.0.drStatic PE information: real checksum: 0xa2135 should be: 0x11275d
                    Source: CdbVaYf8jC.exeStatic PE information: real checksum: 0xa2135 should be: 0x11275d
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004171D1 push ecx; ret 1_2_004171E4
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004171D1 push ecx; ret 5_2_004171E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00D70285 push ebp; iretd 8_2_00D70283
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeFile created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_004772DE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_004375B0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_004772DE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_004375B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 6176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5684, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004440780_2_00444078
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004440781_2_00444078
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004440785_2_00444078
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeAPI/Special instruction interceptor: Address: 3FF32BC
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeAPI/Special instruction interceptor: Address: 3D94F04
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: deblaterate.exe, 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.0000000002871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1713Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8143Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7944Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1899Jump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeAPI coverage: 3.1 %
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeAPI coverage: 3.4 %
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeAPI coverage: 3.2 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99871Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98776Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98555Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98348Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98088Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97952Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97733Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97076Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95966Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99341Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98467Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99799Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99543Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99434Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97797Jump to behavior
                    Source: RegSvcs.exe, 00000008.00000002.2943524952.0000000002871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000008.00000002.2943524952.0000000002871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: deblaterate.exe, 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014B70B0 CheckRemoteDebuggerPresent,2_2_014B70B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_040E3528 mov eax, dword ptr fs:[00000030h]0_2_040E3528
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_040E3588 mov eax, dword ptr fs:[00000030h]0_2_040E3588
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_040E1EE8 mov eax, dword ptr fs:[00000030h]0_2_040E1EE8
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_03FF3588 mov eax, dword ptr fs:[00000030h]1_2_03FF3588
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_03FF3528 mov eax, dword ptr fs:[00000030h]1_2_03FF3528
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_03FF1EE8 mov eax, dword ptr fs:[00000030h]1_2_03FF1EE8
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_03D951D0 mov eax, dword ptr fs:[00000030h]5_2_03D951D0
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_03D95170 mov eax, dword ptr fs:[00000030h]5_2_03D95170
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_03D93B30 mov eax, dword ptr fs:[00000030h]5_2_03D93B30
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0042202E SetUnhandledExceptionFilter,1_2_0042202E
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004230F5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00417D93
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00421FA7
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0042202E SetUnhandledExceptionFilter,5_2_0042202E
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004230F5
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00417D93
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00421FA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CB7008Jump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 793008Jump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CdbVaYf8jC.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Sancerre\deblaterate.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Sancerre\deblaterate.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
                    Source: deblaterate.exeBinary or memory string: Shell_TrayWnd
                    Source: CdbVaYf8jC.exe, deblaterate.exe.0.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.000000000289E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.0000000002886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 6176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2208, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: deblaterate.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
                    Source: deblaterate.exeBinary or memory string: WIN_XP
                    Source: deblaterate.exeBinary or memory string: WIN_XPe
                    Source: deblaterate.exeBinary or memory string: WIN_VISTA
                    Source: deblaterate.exeBinary or memory string: WIN_7
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 6176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2208, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.deblaterate.exe.4350000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.deblaterate.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.000000000289E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2943524952.0000000002886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1921920979.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 6176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5684, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2208, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
                    Source: C:\Users\user\Desktop\CdbVaYf8jC.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_004741BB
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,1_2_0046483C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,1_2_0047AD92
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_004741BB
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,5_2_0046483C
                    Source: C:\Users\user\AppData\Local\Sancerre\deblaterate.exeCode function: 5_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0047AD92

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets841
                    Security Software Discovery                    		SSH2
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items231
                    Virtualization/Sandbox Evasion                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587597 Sample: CdbVaYf8jC.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 smtp.zoho.eu 2->30 32 ip-api.com 2->32 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 9 other signatures 2->44 8 CdbVaYf8jC.exe 3 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\deblaterate.exe, PE32 8->26 dropped 60 Contains functionality to detect sleep reduction / modifications 8->60 14 deblaterate.exe 1 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 deblaterate.exe 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\deblaterate.vbs, data 14->28 dropped 64 Antivirus detection for dropped file 14->64 66 Multi AV Scanner detection for dropped file 14->66 68 Machine Learning detection for dropped file 14->68 74 4 other signatures 14->74 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 34 smtp.zoho.eu 185.230.214.164, 49731, 49732, 49740 COMPUTERLINEComputerlineSchlierbachSwitzerlandCH Netherlands 20->34 36 ip-api.com 208.95.112.1, 49730, 49739, 80 TUT-ASUS United States 20->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->50 52 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->52 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal ftp login credentials 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    CdbVaYf8jC.exe74%VirustotalBrowse
                    CdbVaYf8jC.exe83%ReversingLabsWin32.Trojan.AutoitInject
                    CdbVaYf8jC.exe100%AviraTR/AD.GenSteal.nhplk
                    CdbVaYf8jC.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Sancerre\deblaterate.exe100%AviraTR/AD.GenSteal.nhplk
                    C:\Users\user\AppData\Local\Sancerre\deblaterate.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Sancerre\deblaterate.exe83%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://smtp.zoho.eu0%Avira URL Cloudsafe
                    http://status.thawte.com0:0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.zoho.eu
                    		185.230.214.164
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/deblaterate.exe, 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.1921920979.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000284C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://cdp.thawte.com/ThawteTLSRSACAG1.crl0pRegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://status.thawte.com0:RegSvcs.exe, 00000002.00000002.1924786342.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1920436208.0000000001227000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1924786342.0000000006150000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C41000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947307621.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2947212481.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943028210.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://smtp.zoho.euRegSvcs.exe, 00000002.00000002.1921920979.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1921920979.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000296C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.00000000028A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ip-api.comRegSvcs.exe, 00000002.00000002.1921920979.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2943524952.000000000284C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUSfalse
                                    185.230.214.164
                                    		smtp.zoho.euNetherlands
                                    		41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHtrue

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1587597
                                    Start date and time:2025-01-10 15:22:57 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 47s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:10
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:CdbVaYf8jC.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:0c8117599f256ad39f13b4ed9b5271174c073e94047ed3acf8ef809d2812ae9a.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 44
                                    • Number of non-executed functions: 319
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.12.23.50, 13.107.253.45
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:23:59API Interceptor126x Sleep call for process: RegSvcs.exe modified
                                    14:24:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    driver.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    XClient.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    p.exeGet hashmaliciousUnknownBrowse
                                    • ip-api.com/csv/?fields=query
                                    rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                    • ip-api.com/json/?fields=225545
                                    startup_str_466.batGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    185.230.214.164kG713MWffq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      Drawing_Products_Materials_and_Samples_IMG.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exeGet hashmaliciousGuLoaderBrowse
                                          CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                            Orden#46789_2024_Optoflux_mexico_sderlss.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              Orden#46789_2024_Optoflux_mexico_sderls.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                okPY77wv6E.exeGet hashmaliciousAgentTeslaBrowse
                                                  RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                                                    RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                                                      RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ip-api.comH9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        driver.exeGet hashmaliciousBlank GrabberBrowse
                                                        • 208.95.112.1
                                                        XClient.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        p.exeGet hashmaliciousUnknownBrowse
                                                        • 208.95.112.1
                                                        rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                                        • 208.95.112.1
                                                        startup_str_466.batGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        smtp.zoho.eukG713MWffq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.230.214.164
                                                        Drawing_Products_Materials_and_Samples_IMG.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 185.230.214.164
                                                        CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exeGet hashmaliciousGuLoaderBrowse
                                                        • 185.230.214.164
                                                        CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 185.230.214.164
                                                        INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 185.230.212.164
                                                        Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 185.230.212.164
                                                        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.230.212.164
                                                        RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 185.230.212.164
                                                        File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 185.230.212.164
                                                        Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 185.230.212.164

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        COMPUTERLINEComputerlineSchlierbachSwitzerlandCHhttps://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                        • 89.36.170.147
                                                        https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26Get hashmaliciousUnknownBrowse
                                                        • 89.36.170.147
                                                        https://workdrive.zohopublic.com/writer/open/p369v39db425d23f84b09b5751cf359b081f4Get hashmaliciousUnknownBrowse
                                                        • 89.36.170.147
                                                        https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGNGet hashmaliciousHTMLPhisherBrowse
                                                        • 89.36.170.147
                                                        2024 Tepa LLC RFP Proposal.docxGet hashmaliciousUnknownBrowse
                                                        • 185.230.214.169
                                                        https://forms.office.com/e/YpaL2Dw0r2Get hashmaliciousUnknownBrowse
                                                        • 185.230.214.19
                                                        https://jxgy-zcmp.maillist-manage.eu/click/1315cead38f4e738/1315cead38f50cecGet hashmaliciousUnknownBrowse
                                                        • 185.230.212.29
                                                        https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5Get hashmaliciousHTMLPhisherBrowse
                                                        • 89.36.170.147
                                                        https://www.pumpproducts.com/goulds-lb0735te-centrifugal-booster-pump-3-4-hp-208-230-460-volts-3-phase-1-1-4-npt-suction-1-npt-discharge-18-gpm-max-176-ft-max-head-5-impeller-tefc-stainless-steel-pump-end-casing.htmlGet hashmaliciousUnknownBrowse
                                                        • 89.36.170.147
                                                        https://www.google.hn/url?q=//www.google.ee/amp/s/h2f35e7.ubpages.com/bdeda8-f4eb-4ed8-bGet hashmaliciousHTMLPhisherBrowse
                                                        • 89.36.170.147
                                                        TUT-ASUSH9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        driver.exeGet hashmaliciousBlank GrabberBrowse
                                                        • 208.95.112.1
                                                        XClient.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        p.exeGet hashmaliciousUnknownBrowse
                                                        • 208.95.112.1
                                                        rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                                        • 208.95.112.1
                                                        startup_str_466.batGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Sancerre\deblaterate.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\CdbVaYf8jC.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1109981
                                                        Entropy (8bit):7.394161437219553
                                                        Encrypted:false
                                                        SSDEEP:24576:WfmMv6Ckr7Mny5QKE2G0xXetum3IkD13K:W3v+7/5QK7xut/3X6
                                                        MD5:BE84CFD73EDA412A79EB13FFA896A702
                                                        SHA1:992CCD119D7B8D6DC9771D708AA809414496E2FF
                                                        SHA-256:0C8117599F256AD39F13B4ED9B5271174C073E94047ED3ACF8EF809D2812AE9A
                                                        SHA-512:2BB102E7AAA9CC0832CAFBF4DD54AAF5FB18AE4986AF6A6723527A1B2F53D0CAB9D4FA27A913A5E05D2468DBCA4536979C96AB17C043BBB7A739EC01C88D6543
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@.................................5!........@.......@.....................<...T.......H>........................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc...H>.......@...H..............@..@................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\lecheries

                                                        Download File
                                                        Process:C:\Users\user\Desktop\CdbVaYf8jC.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):250880
                                                        Entropy (8bit):6.628208731823749
                                                        Encrypted:false
                                                        SSDEEP:3072:rsHBk24HGBOpgcYugM7I04TzU6D131c9S3DD8k9S3UvczEdd0Y8hvN0rtMuDRW2r:rsH+pRg6roU6h1cM3PJ9OEdC/uhRWn0
                                                        MD5:0D4212EFA938CD90D3D2BF19B39F111D
                                                        SHA1:CA2DAD98643993FF521762069FC16C35C94E01CF
                                                        SHA-256:02AEE0404D01F5261BF8BC87D78212359C43A06994F53D6CC61351E34D69496A
                                                        SHA-512:E6C673042F9487F1BD5946BA8FC91D8EF074445BE648073B9AC5FF5C4FC819F14D77735360D3A12A5D0B52D4DCF8E3DFE31E4DFA4A45A363295E80E764CD2271
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...2KD3PEXSG.4G.LX2HD3P.XSG5Y4GLLX2HD3PAXSG5Y4GLLX2HD3PAXSG.Y4GBS.<H.:.`.R..x`/%?xB:+T" 5s$T7Z(8l:Wh6F>a1=gq.gg!#<WfI>ZeXSG5Y4G..X2.E0P.`l!5Y4GLLX2.D1QJYXG5.7GLDX2HD3Po.PG5y4GLL\2HDsPAxSG5[4GHLX2HD3PEXSG5Y4GL.\2HF3PAXSG7Yt.LLH2HT3PAXCG5I4GLLX2XD3PAXSG5Y4G..[2.D3PAXWGs\4GLLX2HD3PAXSG5Y4GLl\2DD3PAXSG5Y4GLLX2HD3PAXSG5Y4GLLX2HD3PAXSG5Y4GLLX2HD3PAxSG=Y4GLLX2HD3PIxSG}Y4GLLX2HD3Po,6?AY4Gx.[2Hd3PA.PG5[4GLLX2HD3PAXSG.Y4'b>+@+D3P.]SG5Y0GLJX2H.0PAXSG5Y4GLLX2.D3.o*6+Z:4G@LX2Hd7PAZSG5.7GLLX2HD3PAXSGuY4.LLX2HD3PAXSG5Y4G\.[2HD3P.XSG7Y1G$.Z28z2PBXSG4Y4ALLX2HD3PAXSG5Y4GLLX2HD3PAXSG5Y4GLLX2HD3PAXSG5Y4GQ....{n.%mMW^.a.+.1.. ..!..:.!.7X....>.....,2..L.=x.H...,.OI5Y....y8X6;1g0cC9.U...er3u..A"."...Mb.6Uc.p...j{..._5....-../#5.)4C<$v.&S8F..N.3HD3P.......%4.heG<NuJ+....x^ d...?XSGQY4G>LX2)D3P.XSGZY4G"LX26D3P?XSGsY4G.LX2.D3PdXSGXY4GhLX26D3P.%\H....?.2HD3Pt..w.4........f0.-.Wa.(.y..6..W;.B.x...V../..V.8A..l@MJ\7JC7SMe]...fNH\7JC7SMe]...f.j..q...0..f#.;LLX2HD.PA.SG5.G.LX2.D.P..SG5..G.L.2..P

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Sancerre\deblaterate.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):280
                                                        Entropy (8bit):3.3646143103872914
                                                        Encrypted:false
                                                        SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX12l5fZkIAnriIM8lfQVn:DsO+vNloRKQ1CZkPmA2n
                                                        MD5:3056344BAA9949F6A48DAB5F6E52A7D6
                                                        SHA1:3A16DF6EB5A53A13D4B550CD3A453FDDF87A2071
                                                        SHA-256:EDA3B37DBA9DF109BBB2C18CDE32B7F4D28C3DFC9599B0726704004B265F8905
                                                        SHA-512:ABE72A4721A7D32BEFA3F958B3BDE0CA9EA47E65A61F5340516BAA1B80226C1E1F4574820A448ACDBE16CC88AA834E24320AF5B46AD23AA4C55C66C90902439E
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.S.a.n.c.e.r.r.e.\.d.e.b.l.a.t.e.r.a.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.394161437219553
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 95.11%
                                                        • AutoIt3 compiled script executable (510682/80) 4.86%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:CdbVaYf8jC.exe
                                                        File size:1'109'981 bytes
                                                        MD5:be84cfd73eda412a79eb13ffa896a702
                                                        SHA1:992ccd119d7b8d6dc9771d708aa809414496e2ff
                                                        SHA256:0c8117599f256ad39f13b4ed9b5271174c073e94047ed3acf8ef809d2812ae9a
                                                        SHA512:2bb102e7aaa9cc0832cafbf4dd54aaf5fb18ae4986af6a6723527a1b2f53d0cab9d4fa27a913a5e05d2468dbca4536979c96ab17c043bbb7a739ec01c88d6543
                                                        SSDEEP:24576:WfmMv6Ckr7Mny5QKE2G0xXetum3IkD13K:W3v+7/5QK7xut/3X6
                                                        TLSH:FF35E112B7D680B6D9A338B1297BF32BEB3575194327C4CBA7E01E768F111409B3A761
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                        File Icon

                                                        Icon Hash:3174b291b5b7a5e1

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x416310
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:0
                                                        File Version Major:5
                                                        File Version Minor:0
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:0
                                                        Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FD9288383ECh
                                                        jmp 00007FD92882C1BEh
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push ebp
                                                        mov ebp, esp
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [ebp+0Ch]
                                                        mov ecx, dword ptr [ebp+10h]
                                                        mov edi, dword ptr [ebp+08h]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007FD92882C34Ah
                                                        cmp edi, eax
                                                        jc 00007FD92882C4EAh
                                                        cmp ecx, 00000100h
                                                        jc 00007FD92882C361h
                                                        cmp dword ptr [004A94E0h], 00000000h
                                                        je 00007FD92882C358h
                                                        push edi
                                                        push esi
                                                        and edi, 0Fh
                                                        and esi, 0Fh
                                                        cmp edi, esi
                                                        pop esi
                                                        pop edi
                                                        jne 00007FD92882C34Ah
                                                        pop esi
                                                        pop edi
                                                        pop ebp
                                                        jmp 00007FD92882C7AAh
                                                        test edi, 00000003h
                                                        jne 00007FD92882C357h
                                                        shr ecx, 02h
                                                        and edx, 03h
                                                        cmp ecx, 08h
                                                        jc 00007FD92882C36Ch
                                                        rep movsd
                                                        jmp dword ptr [00416494h+edx*4]
                                                        nop
                                                        mov eax, edi
                                                        mov edx, 00000003h
                                                        sub ecx, 04h
                                                        jc 00007FD92882C34Eh
                                                        and eax, 03h
                                                        add ecx, eax
                                                        jmp dword ptr [004163A8h+eax*4]
                                                        jmp dword ptr [004164A4h+ecx*4]
                                                        nop
                                                        jmp dword ptr [00416428h+ecx*4]
                                                        nop
                                                        mov eax, E4004163h
                                                        arpl word ptr [ecx+00h], ax
                                                        or byte ptr [ecx+eax*2+00h], ah
                                                        and edx, ecx
                                                        mov al, byte ptr [esi]
                                                        mov byte ptr [edi], al
                                                        mov al, byte ptr [esi+01h]
                                                        mov byte ptr [edi+01h], al
                                                        mov al, byte ptr [esi+02h]
                                                        shr ecx, 02h
                                                        mov byte ptr [edi+02h], al
                                                        add esi, 03h
                                                        add edi, 03h
                                                        cmp ecx, 08h
                                                        jc 00007FD92882C30Eh

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2008 SP1 build 30729
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [C++] VS2008 SP1 build 30729
                                                        • [ C ] VS2005 build 50727
                                                        • [IMP] VS2005 build 50727
                                                        • [ASM] VS2008 build 21022
                                                        • [RES] VS2008 build 21022
                                                        • [LNK] VS2008 SP1 build 30729

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x3e48.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xab0000x3e480x4000f7204484a0e7164d0ab8ebfd6bf48698False0.41046142578125data4.959604524064203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xab7c00xf83PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8204482498111307
                                                        RT_MENU0xac7480x50dataEnglishGreat Britain0.9
                                                        RT_DIALOG0xac7980xfcdataEnglishGreat Britain0.6507936507936508
                                                        RT_STRING0xac8980x530dataEnglishGreat Britain0.33960843373493976
                                                        RT_STRING0xacdc80x690dataEnglishGreat Britain0.26964285714285713
                                                        RT_STRING0xad4580x43adataEnglishGreat Britain0.3733826247689464
                                                        RT_STRING0xad8980x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xade980x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xae4f80x388dataEnglishGreat Britain0.377212389380531
                                                        RT_STRING0xae8800x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                        RT_GROUP_ICON0xae9d80x14dataEnglishGreat Britain1.2
                                                        RT_GROUP_ICON0xae9f00x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0xaea080x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0xaea200x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0xaea380x19cdataEnglishGreat Britain0.5339805825242718
                                                        RT_MANIFEST0xaebd80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                        GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                        OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 15:23:59.227006912 CET4973080192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:23:59.231986046 CET8049730208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:23:59.232089996 CET4973080192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:23:59.232948065 CET4973080192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:23:59.237852097 CET8049730208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:23:59.692951918 CET8049730208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:23:59.748162985 CET4973080192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:00.333033085 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:00.337939024 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:00.338012934 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:00.941458941 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:00.941777945 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:00.946660042 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.445034981 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.446083069 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:01.450934887 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.637613058 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.647262096 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:01.652122021 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.839874983 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.839893103 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.839904070 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.839916945 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:01.840084076 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:01.848455906 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:01.853254080 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.050803900 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.093645096 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:02.169708967 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:02.174659967 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.361342907 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.362319946 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:02.367171049 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.588211060 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.588593006 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:02.593374968 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.984456062 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:02.984793901 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:02.989595890 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.176220894 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.176664114 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.181543112 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.378407955 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.381201982 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.385997057 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.572460890 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.575822115 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.575982094 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.576030016 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.576061964 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:03.580725908 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.580826044 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.580837011 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:03.580951929 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:04.493290901 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:04.545046091 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:04.819761992 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:04.824892044 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.010957003 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.011359930 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.011373043 CET58749731185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.011416912 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:05.015460968 CET49731587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:05.016690016 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:05.021502972 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.021579981 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:05.645159960 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:05.652179956 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:05.657116890 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.162715912 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.162971020 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:06.167876959 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.353768110 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.354247093 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:06.359039068 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.545916080 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.545938015 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.545952082 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.546001911 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:06.547790051 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:06.552597046 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.738445997 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.739813089 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:06.744760990 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.930469036 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:06.982513905 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.061062098 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.061744928 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.066613913 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.252572060 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.256215096 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.261142969 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.478960037 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.520742893 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.525619984 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.711412907 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.711664915 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.716555119 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.902281046 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:07.902494907 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:07.907363892 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.105643988 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.107381105 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107431889 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107464075 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107525110 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107656956 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107681990 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107698917 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107719898 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.107739925 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:08.112298012 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112359047 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112389088 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112468004 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112551928 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112605095 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112633944 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112689018 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112724066 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112754107 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.112790108 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.569309950 CET58749732185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:08.623131990 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:14.896703005 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:14.901590109 CET8049739208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:24:14.901757002 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:14.901988029 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:14.906735897 CET8049739208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:24:15.315579891 CET49732587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:15.315931082 CET4973080192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:15.393332958 CET8049739208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:24:15.435662031 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:24:15.949702024 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:15.955503941 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:15.955610037 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:16.533509970 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:16.533780098 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:16.538690090 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:16.953635931 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:16.956362009 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:16.962305069 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.146059036 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.150763988 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.155658960 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.341444969 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.341475964 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.341491938 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.341511011 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.341850042 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.343537092 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.348381042 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.530467987 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.546796083 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.552401066 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.734086037 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.736277103 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.741945982 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.923748016 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:17.924520016 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:17.930684090 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.147600889 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.147953987 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.152741909 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.334567070 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.335263968 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.340059996 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.521827936 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.522735119 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.527630091 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.710360050 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.711194992 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.711340904 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.711340904 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.711340904 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:18.715986967 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.716231108 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.716239929 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:18.716248989 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.337032080 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.378693104 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:19.383466959 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.580813885 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.581289053 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.581373930 CET58749740185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.581393957 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:19.581427097 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:19.584777117 CET49740587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:19.585643053 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:19.591774940 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:19.591847897 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.213017941 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.213186979 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.218027115 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.404273987 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.404691935 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.409584999 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.595993042 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.596599102 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.601401091 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.787054062 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.788150072 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.788690090 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:20.792995930 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:20.793510914 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.119462013 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.170090914 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:21.253110886 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.256223917 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:21.261187077 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.448359013 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.448848963 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:21.453815937 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.677217007 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.677558899 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:21.682486057 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.868169069 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:21.868482113 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:21.873403072 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.060575008 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.060939074 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.065812111 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.251621962 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.294898987 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.294960022 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.299736977 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.299859047 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.307853937 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.307950974 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.308114052 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.308195114 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.308618069 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.308634043 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.308660030 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:22.312659025 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.312762976 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.312947989 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.312958956 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313050032 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313060045 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313070059 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313472986 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313483000 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.313488007 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.711782932 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:24:22.763765097 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:24:57.566346884 CET8049739208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:24:57.566507101 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:25:05.951653957 CET4973980192.168.2.4208.95.112.1
                                                        Jan 10, 2025 15:25:05.956496954 CET8049739208.95.112.1192.168.2.4
                                                        Jan 10, 2025 15:25:55.967291117 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:25:55.972805977 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:25:56.158705950 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:25:56.159200907 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:25:56.159281015 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:25:56.159286976 CET58749741185.230.214.164192.168.2.4
                                                        Jan 10, 2025 15:25:56.159334898 CET49741587192.168.2.4185.230.214.164
                                                        Jan 10, 2025 15:25:56.159586906 CET49741587192.168.2.4185.230.214.164

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 15:23:59.214633942 CET5389053192.168.2.41.1.1.1
                                                        Jan 10, 2025 15:23:59.221663952 CET53538901.1.1.1192.168.2.4
                                                        Jan 10, 2025 15:24:00.323645115 CET5895953192.168.2.41.1.1.1
                                                        Jan 10, 2025 15:24:00.332088947 CET53589591.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 10, 2025 15:23:59.214633942 CET192.168.2.41.1.1.10xd893Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Jan 10, 2025 15:24:00.323645115 CET192.168.2.41.1.1.10x9836Standard query (0)smtp.zoho.euA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 10, 2025 15:23:59.221663952 CET1.1.1.1192.168.2.40xd893No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Jan 10, 2025 15:24:00.332088947 CET1.1.1.1192.168.2.40x9836No error (0)smtp.zoho.eu185.230.214.164A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449730208.95.112.1801780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 10, 2025 15:23:59.232948065 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Jan 10, 2025 15:23:59.692951918 CET175INHTTP/1.1 200 OK
                                                        Date: Fri, 10 Jan 2025 14:23:58 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 6
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 66 61 6c 73 65 0a
                                                        Data Ascii: false


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449739208.95.112.1802208C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 10, 2025 15:24:14.901988029 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Jan 10, 2025 15:24:15.393332958 CET175INHTTP/1.1 200 OK
                                                        Date: Fri, 10 Jan 2025 14:24:14 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 6
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 44
                                                        X-Rl: 42
                                                        Data Raw: 66 61 6c 73 65 0a
                                                        Data Ascii: false


                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Jan 10, 2025 15:24:00.941458941 CET58749731185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready January 10, 2025 3:24:00 PM CET
                                                        Jan 10, 2025 15:24:00.941777945 CET49731587192.168.2.4185.230.214.164EHLO 124406
                                                        Jan 10, 2025 15:24:01.445034981 CET58749731185.230.214.164192.168.2.4250-mx.zoho.eu Hello 124406 (8.46.123.189 (8.46.123.189))
                                                        250-STARTTLS
                                                        250 SIZE 53477376
                                                        Jan 10, 2025 15:24:01.446083069 CET49731587192.168.2.4185.230.214.164STARTTLS
                                                        Jan 10, 2025 15:24:01.637613058 CET58749731185.230.214.164192.168.2.4220 Ready to start TLS.
                                                        Jan 10, 2025 15:24:05.645159960 CET58749732185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready January 10, 2025 3:24:05 PM CET
                                                        Jan 10, 2025 15:24:05.652179956 CET49732587192.168.2.4185.230.214.164EHLO 124406
                                                        Jan 10, 2025 15:24:06.162715912 CET58749732185.230.214.164192.168.2.4250-mx.zoho.eu Hello 124406 (8.46.123.189 (8.46.123.189))
                                                        250-STARTTLS
                                                        250 SIZE 53477376
                                                        Jan 10, 2025 15:24:06.162971020 CET49732587192.168.2.4185.230.214.164STARTTLS
                                                        Jan 10, 2025 15:24:06.353768110 CET58749732185.230.214.164192.168.2.4220 Ready to start TLS.
                                                        Jan 10, 2025 15:24:16.533509970 CET58749740185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready January 10, 2025 3:24:16 PM CET
                                                        Jan 10, 2025 15:24:16.533780098 CET49740587192.168.2.4185.230.214.164EHLO 124406
                                                        Jan 10, 2025 15:24:16.953635931 CET58749740185.230.214.164192.168.2.4250-mx.zoho.eu Hello 124406 (8.46.123.189 (8.46.123.189))
                                                        250-STARTTLS
                                                        250 SIZE 53477376
                                                        Jan 10, 2025 15:24:16.956362009 CET49740587192.168.2.4185.230.214.164STARTTLS
                                                        Jan 10, 2025 15:24:17.146059036 CET58749740185.230.214.164192.168.2.4220 Ready to start TLS.
                                                        Jan 10, 2025 15:24:20.213017941 CET58749741185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready January 10, 2025 3:24:20 PM CET
                                                        Jan 10, 2025 15:24:20.213186979 CET49741587192.168.2.4185.230.214.164EHLO 124406
                                                        Jan 10, 2025 15:24:20.404273987 CET58749741185.230.214.164192.168.2.4250-mx.zoho.eu Hello 124406 (8.46.123.189 (8.46.123.189))
                                                        250-STARTTLS
                                                        250 SIZE 53477376
                                                        Jan 10, 2025 15:24:20.404691935 CET49741587192.168.2.4185.230.214.164STARTTLS
                                                        Jan 10, 2025 15:24:20.595993042 CET58749741185.230.214.164192.168.2.4220 Ready to start TLS.

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:09:23:51
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\CdbVaYf8jC.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\CdbVaYf8jC.exe"
                                                        Imagebase:0x400000
                                                        File size:1'109'981 bytes
                                                        MD5 hash:BE84CFD73EDA412A79EB13FFA896A702
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:09:23:54
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Local\Sancerre\deblaterate.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\CdbVaYf8jC.exe"
                                                        Imagebase:0x400000
                                                        File size:1'109'981 bytes
                                                        MD5 hash:BE84CFD73EDA412A79EB13FFA896A702
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1764009097.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 83%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:09:23:57
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\CdbVaYf8jC.exe"
                                                        Imagebase:0xa70000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1921920979.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1919325909.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1921920979.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1921920979.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:09:24:09
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                                                        Imagebase:0x7ff703300000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:09:24:10
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Local\Sancerre\deblaterate.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Sancerre\deblaterate.exe"
                                                        Imagebase:0x400000
                                                        File size:1'109'981 bytes
                                                        MD5 hash:BE84CFD73EDA412A79EB13FFA896A702
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1921660369.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:09:24:13
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Sancerre\deblaterate.exe"
                                                        Imagebase:0x5e0000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2943524952.000000000289E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2943524952.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2943524952.0000000002886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.8%
                                                          Dynamic/Decrypted Code Coverage:1.1%
                                                          Signature Coverage:3.3%
                                                          Total number of Nodes:1592
                                                          Total number of Limit Nodes:37
                                                          execution_graph 83147 4444e4 83152 40d900 83147->83152 83149 4444ee 83156 43723d 83149->83156 83151 444504 83153 40d917 83152->83153 83154 40d909 83152->83154 83153->83154 83155 40d91c CloseHandle 83153->83155 83154->83149 83155->83149 83157 40d900 CloseHandle 83156->83157 83158 437247 ctype 83157->83158 83158->83151 83159 4161c2 83160 4161d3 83159->83160 83194 41aa31 HeapCreate 83160->83194 83163 416212 83196 416e29 GetModuleHandleW 83163->83196 83167 416223 __RTC_Initialize 83230 41b669 83167->83230 83170 416231 83171 41623d GetCommandLineW 83170->83171 83299 4117af 67 API calls 3 library calls 83170->83299 83245 42235f GetEnvironmentStringsW 83171->83245 83174 41623c 83174->83171 83175 41624c 83251 4222b1 GetModuleFileNameW 83175->83251 83177 416256 83178 416261 83177->83178 83300 4117af 67 API calls 3 library calls 83177->83300 83255 422082 83178->83255 83182 416272 83268 41186e 83182->83268 83185 416279 83187 416284 __wwincmdln 83185->83187 83302 4117af 67 API calls 3 library calls 83185->83302 83274 40d7f0 83187->83274 83190 4162b3 83304 411a4b 67 API calls _doexit 83190->83304 83193 4162b8 _fprintf 83195 416206 83194->83195 83195->83163 83297 41616a 67 API calls 3 library calls 83195->83297 83197 416e44 83196->83197 83198 416e3d 83196->83198 83200 416fac 83197->83200 83201 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 83197->83201 83305 41177f Sleep GetModuleHandleW 83198->83305 83335 416ad5 70 API calls 2 library calls 83200->83335 83203 416e97 TlsAlloc 83201->83203 83202 416e43 83202->83197 83205 416218 83203->83205 83207 416ee5 TlsSetValue 83203->83207 83205->83167 83298 41616a 67 API calls 3 library calls 83205->83298 83207->83205 83208 416ef6 83207->83208 83306 411a69 6 API calls 4 library calls 83208->83306 83210 416efb 83307 41696e TlsGetValue 83210->83307 83213 41696e __encode_pointer 6 API calls 83214 416f16 83213->83214 83215 41696e __encode_pointer 6 API calls 83214->83215 83216 416f26 83215->83216 83217 41696e __encode_pointer 6 API calls 83216->83217 83218 416f36 83217->83218 83317 41828b InitializeCriticalSectionAndSpinCount ___lock_fhandle 83218->83317 83220 416f43 83220->83200 83318 4169e9 TlsGetValue 83220->83318 83225 4169e9 __decode_pointer 6 API calls 83226 416f8a 83225->83226 83226->83200 83227 416f91 83226->83227 83334 416b12 67 API calls 5 library calls 83227->83334 83229 416f99 GetCurrentThreadId 83229->83205 83448 41718c 83230->83448 83232 41b675 GetStartupInfoA 83233 416ffb __calloc_crt 67 API calls 83232->83233 83240 41b696 83233->83240 83234 41b8b4 _fprintf 83234->83170 83235 41b831 GetStdHandle 83239 41b7fb 83235->83239 83236 416ffb __calloc_crt 67 API calls 83236->83240 83237 41b896 SetHandleCount 83237->83234 83238 41b843 GetFileType 83238->83239 83239->83234 83239->83235 83239->83237 83239->83238 83450 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83239->83450 83240->83234 83240->83236 83240->83239 83241 41b77e 83240->83241 83241->83234 83241->83239 83242 41b7a7 GetFileType 83241->83242 83449 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83241->83449 83242->83241 83246 422370 83245->83246 83247 422374 83245->83247 83246->83175 83248 416fb6 __malloc_crt 67 API calls 83247->83248 83249 422395 _realloc 83248->83249 83250 42239c FreeEnvironmentStringsW 83249->83250 83250->83175 83252 4222e6 _wparse_cmdline 83251->83252 83253 416fb6 __malloc_crt 67 API calls 83252->83253 83254 422329 _wparse_cmdline 83252->83254 83253->83254 83254->83177 83256 416267 83255->83256 83257 42209a _wcslen 83255->83257 83256->83182 83301 4117af 67 API calls 3 library calls 83256->83301 83258 416ffb __calloc_crt 67 API calls 83257->83258 83259 4220be _wcslen 83258->83259 83259->83256 83260 422123 83259->83260 83262 416ffb __calloc_crt 67 API calls 83259->83262 83263 422149 83259->83263 83266 422108 83259->83266 83451 426349 67 API calls _fprintf 83259->83451 83261 413a88 ___convertcp 67 API calls 83260->83261 83261->83256 83262->83259 83264 413a88 ___convertcp 67 API calls 83263->83264 83264->83256 83266->83259 83452 417d93 10 API calls 3 library calls 83266->83452 83269 41187c __IsNonwritableInCurrentImage 83268->83269 83453 418486 83269->83453 83271 41189a __initterm_e 83273 4118b9 __IsNonwritableInCurrentImage __initterm 83271->83273 83457 411421 83271->83457 83273->83185 83275 431bcb 83274->83275 83276 40d80c 83274->83276 83501 4092c0 83276->83501 83278 40d847 83505 40eb50 83278->83505 83281 40d877 83508 411ac6 67 API calls 4 library calls 83281->83508 83284 40d888 83509 411b24 67 API calls _fprintf 83284->83509 83286 40d891 83510 40f370 SystemParametersInfoW SystemParametersInfoW 83286->83510 83288 40d89f 83511 40d6d0 GetCurrentDirectoryW 83288->83511 83290 40d8a7 SystemParametersInfoW 83291 40d8d4 83290->83291 83292 40d8cd FreeLibrary 83290->83292 83293 4092c0 VariantClear 83291->83293 83292->83291 83294 40d8dd 83293->83294 83295 4092c0 VariantClear 83294->83295 83296 40d8e6 83295->83296 83296->83190 83303 411a1f 67 API calls _doexit 83296->83303 83297->83163 83298->83167 83299->83174 83300->83178 83301->83182 83302->83187 83303->83190 83304->83193 83305->83202 83306->83210 83308 4169a7 GetModuleHandleW 83307->83308 83309 416986 83307->83309 83311 4169c2 GetProcAddress 83308->83311 83312 4169b7 83308->83312 83309->83308 83310 416990 TlsGetValue 83309->83310 83315 41699b 83310->83315 83313 41699f 83311->83313 83336 41177f Sleep GetModuleHandleW 83312->83336 83313->83213 83315->83308 83315->83313 83316 4169bd 83316->83311 83316->83313 83317->83220 83319 416a01 83318->83319 83320 416a22 GetModuleHandleW 83318->83320 83319->83320 83321 416a0b TlsGetValue 83319->83321 83322 416a32 83320->83322 83323 416a3d GetProcAddress 83320->83323 83326 416a16 83321->83326 83337 41177f Sleep GetModuleHandleW 83322->83337 83325 416a1a 83323->83325 83325->83200 83328 416ffb 83325->83328 83326->83320 83326->83325 83327 416a38 83327->83323 83327->83325 83331 417004 83328->83331 83330 416f70 83330->83200 83330->83225 83331->83330 83332 417022 Sleep 83331->83332 83338 422452 83331->83338 83333 417037 83332->83333 83333->83330 83333->83331 83334->83229 83335->83205 83336->83316 83337->83327 83339 42245e _fprintf 83338->83339 83340 422476 83339->83340 83350 422495 _memset 83339->83350 83351 417f23 67 API calls __getptd_noexit 83340->83351 83342 42247b 83352 417ebb 6 API calls 2 library calls 83342->83352 83344 422507 HeapAlloc 83344->83350 83346 42248b _fprintf 83346->83331 83350->83344 83350->83346 83353 418407 83350->83353 83360 41a74c 5 API calls 2 library calls 83350->83360 83361 42254e LeaveCriticalSection _doexit 83350->83361 83362 411afc 6 API calls __decode_pointer 83350->83362 83351->83342 83354 41841c 83353->83354 83355 41842f EnterCriticalSection 83353->83355 83363 418344 83354->83363 83355->83350 83357 418422 83357->83355 83391 4117af 67 API calls 3 library calls 83357->83391 83359 41842e 83359->83355 83360->83350 83361->83350 83362->83350 83364 418350 _fprintf 83363->83364 83365 418360 83364->83365 83366 418378 83364->83366 83392 418252 67 API calls 2 library calls 83365->83392 83374 418386 _fprintf 83366->83374 83395 416fb6 83366->83395 83369 418365 83393 4180a7 67 API calls 7 library calls 83369->83393 83372 4183a7 83378 418407 __lock 67 API calls 83372->83378 83373 418398 83401 417f23 67 API calls __getptd_noexit 83373->83401 83374->83357 83375 41836c 83394 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83375->83394 83380 4183ae 83378->83380 83381 4183e2 83380->83381 83382 4183b6 83380->83382 83383 413a88 ___convertcp 67 API calls 83381->83383 83402 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83382->83402 83385 4183d3 83383->83385 83417 4183fe LeaveCriticalSection _doexit 83385->83417 83386 4183c1 83386->83385 83403 413a88 83386->83403 83389 4183cd 83416 417f23 67 API calls __getptd_noexit 83389->83416 83391->83359 83392->83369 83393->83375 83396 416fbf 83395->83396 83398 416ff5 83396->83398 83399 416fd6 Sleep 83396->83399 83418 4138ba 83396->83418 83398->83372 83398->83373 83400 416feb 83399->83400 83400->83396 83400->83398 83401->83374 83402->83386 83405 413a94 _fprintf 83403->83405 83404 413b0d __dosmaperr _fprintf 83404->83389 83405->83404 83407 418407 __lock 65 API calls 83405->83407 83415 413ad3 83405->83415 83406 413ae8 RtlFreeHeap 83406->83404 83408 413afa 83406->83408 83412 413aab ___sbh_find_block 83407->83412 83447 417f23 67 API calls __getptd_noexit 83408->83447 83410 413aff GetLastError 83410->83404 83411 413ac5 83446 413ade LeaveCriticalSection _doexit 83411->83446 83412->83411 83445 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __shift 83412->83445 83415->83404 83415->83406 83416->83385 83417->83374 83419 41396d 83418->83419 83420 4138cc 83418->83420 83443 411afc 6 API calls __decode_pointer 83419->83443 83423 4138dd 83420->83423 83427 413965 83420->83427 83429 413929 RtlAllocateHeap 83420->83429 83431 413959 83420->83431 83434 41395e 83420->83434 83439 41386b 67 API calls 4 library calls 83420->83439 83440 411afc 6 API calls __decode_pointer 83420->83440 83422 413973 83444 417f23 67 API calls __getptd_noexit 83422->83444 83423->83420 83436 418252 67 API calls 2 library calls 83423->83436 83437 4180a7 67 API calls 7 library calls 83423->83437 83438 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83423->83438 83427->83396 83429->83420 83441 417f23 67 API calls __getptd_noexit 83431->83441 83442 417f23 67 API calls __getptd_noexit 83434->83442 83436->83423 83437->83423 83439->83420 83440->83420 83441->83434 83442->83427 83443->83422 83444->83427 83445->83411 83446->83415 83447->83410 83448->83232 83449->83241 83450->83239 83451->83259 83452->83266 83454 41848c 83453->83454 83455 41696e __encode_pointer 6 API calls 83454->83455 83456 4184a4 83454->83456 83455->83454 83456->83271 83460 4113e5 83457->83460 83459 41142e 83459->83273 83461 4113f1 _fprintf 83460->83461 83468 41181b 83461->83468 83467 411412 _fprintf 83467->83459 83469 418407 __lock 67 API calls 83468->83469 83470 4113f6 83469->83470 83471 4112fa 83470->83471 83472 4169e9 __decode_pointer 6 API calls 83471->83472 83473 41130e 83472->83473 83474 4169e9 __decode_pointer 6 API calls 83473->83474 83475 41131e 83474->83475 83476 4113a1 83475->83476 83494 4170e7 68 API calls 4 library calls 83475->83494 83491 41141b 83476->83491 83478 41133c 83479 411388 83478->83479 83481 411357 83478->83481 83482 411366 83478->83482 83480 41696e __encode_pointer 6 API calls 83479->83480 83483 411396 83480->83483 83495 417047 73 API calls _realloc 83481->83495 83482->83476 83485 411360 83482->83485 83486 41696e __encode_pointer 6 API calls 83483->83486 83485->83482 83488 41137c 83485->83488 83496 417047 73 API calls _realloc 83485->83496 83486->83476 83490 41696e __encode_pointer 6 API calls 83488->83490 83489 411376 83489->83476 83489->83488 83490->83479 83497 411824 83491->83497 83494->83478 83495->83485 83496->83489 83500 41832d LeaveCriticalSection 83497->83500 83499 411420 83499->83467 83500->83499 83502 4092c8 ctype 83501->83502 83503 429db0 VariantClear 83502->83503 83504 4092d5 ctype 83502->83504 83503->83504 83504->83278 83549 40eb70 83505->83549 83508->83284 83509->83286 83510->83288 83553 401f80 83511->83553 83513 40d6f1 IsDebuggerPresent 83514 431a9d MessageBoxA 83513->83514 83515 40d6ff 83513->83515 83516 431ab6 83514->83516 83515->83516 83517 40d71f 83515->83517 83646 403e90 75 API calls 3 library calls 83516->83646 83623 40f3b0 83517->83623 83521 40d73a GetFullPathNameW 83643 401440 127 API calls _wcscat 83521->83643 83523 40d77a 83524 40d782 83523->83524 83525 431b09 SetCurrentDirectoryW 83523->83525 83526 40d78b 83524->83526 83647 43604b 6 API calls 83524->83647 83525->83524 83635 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 83526->83635 83529 431b28 83529->83526 83531 431b30 GetModuleFileNameW 83529->83531 83533 431ba4 GetForegroundWindow ShellExecuteW 83531->83533 83534 431b4c 83531->83534 83536 40d7c7 83533->83536 83648 401b70 83534->83648 83535 40d795 83543 40d7a8 83535->83543 83644 40e1e0 97 API calls _memset 83535->83644 83540 40d7d1 SetCurrentDirectoryW 83536->83540 83540->83290 83542 431b66 83655 40d3b0 75 API calls 2 library calls 83542->83655 83543->83536 83645 401000 Shell_NotifyIconW _memset 83543->83645 83546 431b72 GetForegroundWindow ShellExecuteW 83547 431b9f 83546->83547 83547->83536 83548 40eba0 LoadLibraryA GetProcAddress 83548->83281 83550 40d86e 83549->83550 83551 40eb76 LoadLibraryA 83549->83551 83550->83281 83550->83548 83551->83550 83552 40eb87 GetProcAddress 83551->83552 83552->83550 83656 40e680 75 API calls 83553->83656 83555 401f90 83657 402940 75 API calls __write_nolock 83555->83657 83557 401fa2 GetModuleFileNameW 83658 40ff90 83557->83658 83559 401fbd 83670 4107b0 75 API calls 83559->83670 83561 401fd6 83562 401b70 75 API calls 83561->83562 83563 401fe4 83562->83563 83671 4019e0 76 API calls 83563->83671 83565 401ff2 83566 4092c0 VariantClear 83565->83566 83567 402002 83566->83567 83568 401b70 75 API calls 83567->83568 83569 40201c 83568->83569 83672 4019e0 76 API calls 83569->83672 83571 40202c 83572 401b70 75 API calls 83571->83572 83573 40203c 83572->83573 83673 40c3e0 75 API calls 83573->83673 83575 40204d 83674 40c060 83575->83674 83579 40206e 83680 4115d0 79 API calls 2 library calls 83579->83680 83581 40207d 83582 42c174 83581->83582 83583 402088 83581->83583 83691 401a70 75 API calls 83582->83691 83681 4115d0 79 API calls 2 library calls 83583->83681 83586 42c189 83692 401a70 75 API calls 83586->83692 83587 402093 83587->83586 83588 40209e 83587->83588 83682 4115d0 79 API calls 2 library calls 83588->83682 83591 42c1a7 83593 42c1b0 GetModuleFileNameW 83591->83593 83592 4020a9 83592->83593 83594 4020b4 83592->83594 83693 401a70 75 API calls 83593->83693 83683 4115d0 79 API calls 2 library calls 83594->83683 83597 4020bf 83606 42c20a _wcscpy 83597->83606 83615 402107 83597->83615 83684 401a70 75 API calls 83597->83684 83598 42c1e2 83694 40df50 75 API calls 83598->83694 83600 42c1f1 83695 401a70 75 API calls 83600->83695 83601 402119 83604 42c243 83601->83604 83686 40e7e0 76 API calls 83601->83686 83605 42c201 83605->83606 83696 401a70 75 API calls 83606->83696 83608 4020e5 _wcscpy 83685 401a70 75 API calls 83608->83685 83610 402132 83687 40d030 76 API calls 83610->83687 83613 40213e 83614 4092c0 VariantClear 83613->83614 83618 402148 83614->83618 83615->83601 83615->83606 83616 402184 83620 4092c0 VariantClear 83616->83620 83618->83616 83688 40d030 76 API calls 83618->83688 83689 40e640 76 API calls 83618->83689 83690 401a70 75 API calls 83618->83690 83622 402196 ctype 83620->83622 83622->83513 83624 42ccf4 _memset 83623->83624 83625 40f3c9 83623->83625 83628 42cd05 GetOpenFileNameW 83624->83628 84377 40ffb0 76 API calls ctype 83625->84377 83627 40f3d2 84378 410130 SHGetMalloc 83627->84378 83628->83625 83629 40d732 83628->83629 83629->83521 83629->83523 83631 40f3d9 84383 410020 88 API calls __wcsicoll 83631->84383 83633 40f3e7 84384 40f400 83633->84384 83636 42b9d3 83635->83636 83637 41025a LoadImageW RegisterClassExW 83635->83637 84429 443e8f EnumResourceNamesW LoadImageW 83636->84429 84428 4102f0 7 API calls 83637->84428 83640 42b9da 83641 40d790 83642 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 83641->83642 83642->83535 83643->83523 83644->83543 83645->83536 83646->83523 83647->83529 83649 401b76 _wcslen 83648->83649 83650 41171a 75 API calls 83649->83650 83653 401bc5 83649->83653 83651 401bad _realloc 83650->83651 83652 41171a 75 API calls 83651->83652 83652->83653 83654 40d3b0 75 API calls 2 library calls 83653->83654 83654->83542 83655->83546 83656->83555 83657->83557 83697 40f5e0 83658->83697 83660 40ffa6 83660->83559 83663 42b6d8 83664 42b6e6 83663->83664 83753 434fe1 83663->83753 83666 413a88 ___convertcp 67 API calls 83664->83666 83667 42b6f5 83666->83667 83668 434fe1 106 API calls 83667->83668 83669 42b702 83668->83669 83669->83559 83670->83561 83671->83565 83672->83571 83673->83575 83675 41171a 75 API calls 83674->83675 83676 40c088 83675->83676 83677 41171a 75 API calls 83676->83677 83678 402061 83677->83678 83679 401a70 75 API calls 83678->83679 83679->83579 83680->83581 83681->83587 83682->83592 83683->83597 83684->83608 83685->83615 83686->83610 83687->83613 83688->83618 83689->83618 83690->83618 83691->83586 83692->83591 83693->83598 83694->83600 83695->83605 83696->83618 83757 40f580 83697->83757 83699 40f5f8 _strcat ctype 83765 40f6d0 83699->83765 83704 42b2ee 83794 4151b0 83704->83794 83706 40f679 83706->83704 83707 40f681 83706->83707 83781 414e94 83707->83781 83711 40f68b 83711->83660 83716 452574 83711->83716 83713 42b31d 83800 415484 83713->83800 83715 42b33d 83717 41557c _fseek 105 API calls 83716->83717 83718 4525df 83717->83718 84316 4523ce 83718->84316 83721 4525fc 83721->83663 83722 4151b0 __fread_nolock 81 API calls 83723 45261d 83722->83723 83724 4151b0 __fread_nolock 81 API calls 83723->83724 83725 45262e 83724->83725 83726 4151b0 __fread_nolock 81 API calls 83725->83726 83727 452649 83726->83727 83728 4151b0 __fread_nolock 81 API calls 83727->83728 83729 452666 83728->83729 83730 41557c _fseek 105 API calls 83729->83730 83731 452682 83730->83731 83732 4138ba _malloc 67 API calls 83731->83732 83733 45268e 83732->83733 83734 4138ba _malloc 67 API calls 83733->83734 83735 45269b 83734->83735 83736 4151b0 __fread_nolock 81 API calls 83735->83736 83737 4526ac 83736->83737 83738 44afdc GetSystemTimeAsFileTime 83737->83738 83739 4526bf 83738->83739 83740 4526d5 83739->83740 83741 4526fd 83739->83741 83742 413a88 ___convertcp 67 API calls 83740->83742 83743 452704 83741->83743 83744 45275b 83741->83744 83747 4526df 83742->83747 84322 44b195 83743->84322 83746 413a88 ___convertcp 67 API calls 83744->83746 83749 452759 83746->83749 83750 413a88 ___convertcp 67 API calls 83747->83750 83748 452753 83751 413a88 ___convertcp 67 API calls 83748->83751 83749->83663 83752 4526e8 83750->83752 83751->83749 83752->83663 83754 434ff1 83753->83754 83755 434feb 83753->83755 83754->83664 83756 414e94 __fcloseall 106 API calls 83755->83756 83756->83754 83758 429440 83757->83758 83759 40f589 _wcslen 83757->83759 83760 40f58f WideCharToMultiByte 83759->83760 83761 40f5d8 83760->83761 83762 40f5ad 83760->83762 83761->83699 83813 41171a 83762->83813 83766 40f6dd _strlen 83765->83766 83828 40f790 83766->83828 83769 414e06 83847 414d40 83769->83847 83771 40f666 83771->83704 83772 40f450 83771->83772 83776 40f45a _strcat _realloc __write_nolock 83772->83776 83773 4151b0 __fread_nolock 81 API calls 83773->83776 83775 42936d 83777 41557c _fseek 105 API calls 83775->83777 83776->83773 83776->83775 83780 40f531 83776->83780 83930 41557c 83776->83930 83778 429394 83777->83778 83779 4151b0 __fread_nolock 81 API calls 83778->83779 83779->83780 83780->83706 83782 414ea0 _fprintf 83781->83782 83783 414ed1 83782->83783 83784 414eb4 83782->83784 83786 415965 __lock_file 68 API calls 83783->83786 83790 414ec9 _fprintf 83783->83790 84069 417f23 67 API calls __getptd_noexit 83784->84069 83788 414ee9 83786->83788 83787 414eb9 84070 417ebb 6 API calls 2 library calls 83787->84070 84053 414e1d 83788->84053 83790->83711 84138 41511a 83794->84138 83796 4151c8 83797 44afdc 83796->83797 84309 4431e0 83797->84309 83799 44affd 83799->83713 83801 415490 _fprintf 83800->83801 83802 4154bb 83801->83802 83803 41549e 83801->83803 83805 415965 __lock_file 68 API calls 83802->83805 84313 417f23 67 API calls __getptd_noexit 83803->84313 83807 4154c3 83805->83807 83806 4154a3 84314 417ebb 6 API calls 2 library calls 83806->84314 83809 4152e7 __ftell_nolock 71 API calls 83807->83809 83810 4154cf 83809->83810 84315 4154e8 LeaveCriticalSection LeaveCriticalSection _fprintf 83810->84315 83812 4154b3 _fprintf 83812->83715 83815 411724 83813->83815 83814 4138ba _malloc 67 API calls 83814->83815 83815->83814 83816 40f5bb WideCharToMultiByte 83815->83816 83820 411740 std::bad_alloc::bad_alloc 83815->83820 83825 411afc 6 API calls __decode_pointer 83815->83825 83816->83699 83818 411766 83826 4116fd 67 API calls std::exception::exception 83818->83826 83820->83818 83822 411421 __cinit 74 API calls 83820->83822 83821 411770 83827 41805b RaiseException 83821->83827 83822->83818 83824 41177e 83825->83815 83826->83821 83827->83824 83829 40f7ae _memset 83828->83829 83831 40f628 83829->83831 83832 415258 83829->83832 83831->83769 83833 415285 83832->83833 83834 415268 83832->83834 83833->83834 83835 41528c 83833->83835 83843 417f23 67 API calls __getptd_noexit 83834->83843 83845 41c551 103 API calls 13 library calls 83835->83845 83838 41526d 83844 417ebb 6 API calls 2 library calls 83838->83844 83839 4152b2 83841 41527d 83839->83841 83846 4191c9 101 API calls 7 library calls 83839->83846 83841->83829 83843->83838 83845->83839 83846->83841 83848 414d4c _fprintf 83847->83848 83849 414d5f 83848->83849 83852 414d95 83848->83852 83899 417f23 67 API calls __getptd_noexit 83849->83899 83851 414d64 83900 417ebb 6 API calls 2 library calls 83851->83900 83866 41e28c 83852->83866 83855 414d9a 83856 414da1 83855->83856 83857 414dae 83855->83857 83901 417f23 67 API calls __getptd_noexit 83856->83901 83859 414dd6 83857->83859 83860 414db6 83857->83860 83884 41dfd8 83859->83884 83902 417f23 67 API calls __getptd_noexit 83860->83902 83863 414d74 @_EH4_CallFilterFunc@8 _fprintf 83863->83771 83867 41e298 _fprintf 83866->83867 83868 418407 __lock 67 API calls 83867->83868 83874 41e2a6 83868->83874 83869 41e322 83871 416fb6 __malloc_crt 67 API calls 83869->83871 83873 41e32c 83871->83873 83872 41e3b0 _fprintf 83872->83855 83881 41e31b 83873->83881 83909 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83873->83909 83874->83869 83876 418344 __mtinitlocknum 67 API calls 83874->83876 83874->83881 83907 4159a6 68 API calls __lock 83874->83907 83908 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 83874->83908 83876->83874 83878 41e351 83879 41e35c 83878->83879 83880 41e36f EnterCriticalSection 83878->83880 83882 413a88 ___convertcp 67 API calls 83879->83882 83880->83881 83904 41e3bb 83881->83904 83882->83881 83893 41dffb __wopenfile 83884->83893 83885 41e015 83914 417f23 67 API calls __getptd_noexit 83885->83914 83886 41e1e9 83886->83885 83889 41e247 83886->83889 83888 41e01a 83915 417ebb 6 API calls 2 library calls 83888->83915 83911 425db0 83889->83911 83893->83885 83893->83886 83893->83893 83916 4136bc 79 API calls 2 library calls 83893->83916 83895 41e1e2 83895->83886 83917 4136bc 79 API calls 2 library calls 83895->83917 83897 41e201 83897->83886 83918 4136bc 79 API calls 2 library calls 83897->83918 83899->83851 83901->83863 83902->83863 83903 414dfc LeaveCriticalSection LeaveCriticalSection _fprintf 83903->83863 83910 41832d LeaveCriticalSection 83904->83910 83906 41e3c2 83906->83872 83907->83874 83908->83874 83909->83878 83910->83906 83919 425ce4 83911->83919 83913 414de1 83913->83903 83914->83888 83916->83895 83917->83897 83918->83886 83922 425cf0 _fprintf 83919->83922 83920 425d03 83921 417f23 _fprintf 67 API calls 83920->83921 83923 425d08 83921->83923 83922->83920 83924 425d41 83922->83924 83925 417ebb _fprintf 6 API calls 83923->83925 83926 4255c4 __tsopen_nolock 132 API calls 83924->83926 83929 425d17 _fprintf 83925->83929 83927 425d5b 83926->83927 83928 425d82 __sopen_helper LeaveCriticalSection 83927->83928 83928->83929 83929->83913 83931 415588 _fprintf 83930->83931 83932 415596 83931->83932 83934 4155c4 83931->83934 83961 417f23 67 API calls __getptd_noexit 83932->83961 83943 415965 83934->83943 83935 41559b 83962 417ebb 6 API calls 2 library calls 83935->83962 83942 4155ab _fprintf 83942->83776 83944 415977 83943->83944 83945 415999 EnterCriticalSection 83943->83945 83944->83945 83946 41597f 83944->83946 83947 4155cc 83945->83947 83948 418407 __lock 67 API calls 83946->83948 83949 4154f2 83947->83949 83948->83947 83950 415502 83949->83950 83952 415512 83949->83952 84018 417f23 67 API calls __getptd_noexit 83950->84018 83956 415524 83952->83956 83964 4152e7 83952->83964 83953 415507 83963 4155f7 LeaveCriticalSection LeaveCriticalSection _fprintf 83953->83963 83981 41486c 83956->83981 83961->83935 83963->83942 83965 41531a 83964->83965 83966 4152fa 83964->83966 83967 41453a __fileno 67 API calls 83965->83967 84019 417f23 67 API calls __getptd_noexit 83966->84019 83969 415320 83967->83969 83972 41efd4 __locking 71 API calls 83969->83972 83970 4152ff 84020 417ebb 6 API calls 2 library calls 83970->84020 83973 415335 83972->83973 83974 4153a9 83973->83974 83976 415364 83973->83976 83980 41530f 83973->83980 84021 417f23 67 API calls __getptd_noexit 83974->84021 83977 41efd4 __locking 71 API calls 83976->83977 83976->83980 83978 415404 83977->83978 83979 41efd4 __locking 71 API calls 83978->83979 83978->83980 83979->83980 83980->83956 83982 4148a7 83981->83982 83983 414885 83981->83983 83987 41453a 83982->83987 83983->83982 83984 41453a __fileno 67 API calls 83983->83984 83985 4148a0 83984->83985 84022 41c3cf 101 API calls 4 library calls 83985->84022 83988 414549 83987->83988 83992 41455e 83987->83992 84023 417f23 67 API calls __getptd_noexit 83988->84023 83990 41454e 84024 417ebb 6 API calls 2 library calls 83990->84024 83993 41efd4 83992->83993 83994 41efe0 _fprintf 83993->83994 83995 41f003 83994->83995 83996 41efe8 83994->83996 83997 41f011 83995->83997 84002 41f052 83995->84002 84045 417f36 67 API calls __getptd_noexit 83996->84045 84047 417f36 67 API calls __getptd_noexit 83997->84047 84000 41efed 84046 417f23 67 API calls __getptd_noexit 84000->84046 84001 41f016 84048 417f23 67 API calls __getptd_noexit 84001->84048 84025 41ba3b 84002->84025 84006 41f01d 84049 417ebb 6 API calls 2 library calls 84006->84049 84007 41f058 84010 41f065 84007->84010 84011 41f07b 84007->84011 84008 41eff5 _fprintf 84008->83953 84035 41ef5f 84010->84035 84050 417f23 67 API calls __getptd_noexit 84011->84050 84014 41f073 84052 41f0a6 LeaveCriticalSection __unlock_fhandle 84014->84052 84015 41f080 84051 417f36 67 API calls __getptd_noexit 84015->84051 84018->83953 84019->83970 84021->83980 84022->83982 84023->83990 84026 41ba47 _fprintf 84025->84026 84027 41baa2 84026->84027 84029 418407 __lock 67 API calls 84026->84029 84028 41baa7 EnterCriticalSection 84027->84028 84030 41bac4 _fprintf 84027->84030 84028->84030 84031 41ba73 84029->84031 84030->84007 84032 41ba8a 84031->84032 84034 4189e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 84031->84034 84033 41bad2 ___lock_fhandle LeaveCriticalSection 84032->84033 84033->84027 84034->84032 84036 41b9c4 __lseeki64_nolock 67 API calls 84035->84036 84037 41ef6e 84036->84037 84038 41ef84 SetFilePointer 84037->84038 84039 41ef74 84037->84039 84041 41efa3 84038->84041 84042 41ef9b GetLastError 84038->84042 84040 417f23 _fprintf 67 API calls 84039->84040 84043 41ef79 84040->84043 84041->84043 84044 417f49 __dosmaperr 67 API calls 84041->84044 84042->84041 84043->84014 84044->84043 84045->84000 84046->84008 84047->84001 84048->84006 84050->84015 84051->84014 84052->84008 84054 414e31 84053->84054 84055 414e4d 84053->84055 84099 417f23 67 API calls __getptd_noexit 84054->84099 84057 414e46 84055->84057 84059 41486c __flush 101 API calls 84055->84059 84071 414f08 LeaveCriticalSection LeaveCriticalSection _fprintf 84057->84071 84058 414e36 84100 417ebb 6 API calls 2 library calls 84058->84100 84061 414e59 84059->84061 84072 41e680 84061->84072 84064 41453a __fileno 67 API calls 84065 414e67 84064->84065 84076 41e5b3 84065->84076 84067 414e6d 84067->84057 84068 413a88 ___convertcp 67 API calls 84067->84068 84068->84057 84069->83787 84071->83790 84073 41e690 84072->84073 84074 414e61 84072->84074 84073->84074 84075 413a88 ___convertcp 67 API calls 84073->84075 84074->84064 84075->84074 84077 41e5bf _fprintf 84076->84077 84078 41e5e2 84077->84078 84079 41e5c7 84077->84079 84081 41e5f0 84078->84081 84086 41e631 84078->84086 84116 417f36 67 API calls __getptd_noexit 84079->84116 84118 417f36 67 API calls __getptd_noexit 84081->84118 84082 41e5cc 84117 417f23 67 API calls __getptd_noexit 84082->84117 84085 41e5f5 84119 417f23 67 API calls __getptd_noexit 84085->84119 84087 41ba3b ___lock_fhandle 68 API calls 84086->84087 84089 41e637 84087->84089 84091 41e652 84089->84091 84092 41e644 84089->84092 84090 41e5fc 84120 417ebb 6 API calls 2 library calls 84090->84120 84121 417f23 67 API calls __getptd_noexit 84091->84121 84101 41e517 84092->84101 84096 41e64c 84122 41e676 LeaveCriticalSection __unlock_fhandle 84096->84122 84097 41e5d4 _fprintf 84097->84067 84099->84058 84123 41b9c4 84101->84123 84103 41e57d 84136 41b93e 68 API calls 2 library calls 84103->84136 84105 41e527 84105->84103 84106 41e55b 84105->84106 84108 41b9c4 __lseeki64_nolock 67 API calls 84105->84108 84106->84103 84109 41b9c4 __lseeki64_nolock 67 API calls 84106->84109 84107 41e585 84110 41e5a7 84107->84110 84137 417f49 67 API calls 3 library calls 84107->84137 84111 41e552 84108->84111 84112 41e567 CloseHandle 84109->84112 84110->84096 84114 41b9c4 __lseeki64_nolock 67 API calls 84111->84114 84112->84103 84115 41e573 GetLastError 84112->84115 84114->84106 84115->84103 84116->84082 84117->84097 84118->84085 84119->84090 84121->84096 84122->84097 84124 41b9d1 84123->84124 84125 41b9e9 84123->84125 84126 417f36 __locking 67 API calls 84124->84126 84128 417f36 __locking 67 API calls 84125->84128 84135 41ba2e 84125->84135 84127 41b9d6 84126->84127 84129 417f23 _fprintf 67 API calls 84127->84129 84130 41ba17 84128->84130 84131 41b9de 84129->84131 84132 417f23 _fprintf 67 API calls 84130->84132 84131->84105 84133 41ba1e 84132->84133 84134 417ebb _fprintf 6 API calls 84133->84134 84134->84135 84135->84105 84136->84107 84137->84110 84139 415126 _fprintf 84138->84139 84140 41516f 84139->84140 84141 415164 _fprintf 84139->84141 84143 41513a _memset 84139->84143 84142 415965 __lock_file 68 API calls 84140->84142 84141->83796 84145 415177 84142->84145 84167 417f23 67 API calls __getptd_noexit 84143->84167 84151 414f10 84145->84151 84146 415154 84168 417ebb 6 API calls 2 library calls 84146->84168 84152 414f4c 84151->84152 84156 414f2e _memset 84151->84156 84169 4151a6 LeaveCriticalSection LeaveCriticalSection _fprintf 84152->84169 84153 414f37 84220 417f23 67 API calls __getptd_noexit 84153->84220 84155 414f3c 84221 417ebb 6 API calls 2 library calls 84155->84221 84156->84152 84156->84153 84164 414f8b 84156->84164 84159 4150d5 _memset 84224 417f23 67 API calls __getptd_noexit 84159->84224 84160 4150a9 _memset 84223 417f23 67 API calls __getptd_noexit 84160->84223 84161 41453a __fileno 67 API calls 84161->84164 84164->84152 84164->84159 84164->84160 84164->84161 84170 41ed9e 84164->84170 84200 41e6b1 84164->84200 84222 41ee9b 67 API calls 3 library calls 84164->84222 84167->84146 84169->84141 84171 41edaa _fprintf 84170->84171 84172 41edb2 84171->84172 84173 41edcd 84171->84173 84294 417f36 67 API calls __getptd_noexit 84172->84294 84175 41eddb 84173->84175 84178 41ee1c 84173->84178 84296 417f36 67 API calls __getptd_noexit 84175->84296 84176 41edb7 84295 417f23 67 API calls __getptd_noexit 84176->84295 84181 41ee29 84178->84181 84182 41ee3d 84178->84182 84180 41ede0 84297 417f23 67 API calls __getptd_noexit 84180->84297 84299 417f36 67 API calls __getptd_noexit 84181->84299 84185 41ba3b ___lock_fhandle 68 API calls 84182->84185 84188 41ee43 84185->84188 84186 41ede7 84298 417ebb 6 API calls 2 library calls 84186->84298 84187 41ee2e 84300 417f23 67 API calls __getptd_noexit 84187->84300 84191 41ee50 84188->84191 84192 41ee66 84188->84192 84190 41edbf _fprintf 84190->84164 84225 41e7dc 84191->84225 84301 417f23 67 API calls __getptd_noexit 84192->84301 84196 41ee6b 84302 417f36 67 API calls __getptd_noexit 84196->84302 84197 41ee5e 84303 41ee91 LeaveCriticalSection __unlock_fhandle 84197->84303 84201 41e6c1 84200->84201 84205 41e6de 84200->84205 84307 417f23 67 API calls __getptd_noexit 84201->84307 84203 41e6c6 84308 417ebb 6 API calls 2 library calls 84203->84308 84206 41e713 84205->84206 84212 41e6d6 84205->84212 84304 423600 84205->84304 84208 41453a __fileno 67 API calls 84206->84208 84209 41e727 84208->84209 84210 41ed9e __read 79 API calls 84209->84210 84211 41e72e 84210->84211 84211->84212 84213 41453a __fileno 67 API calls 84211->84213 84212->84164 84214 41e751 84213->84214 84214->84212 84215 41453a __fileno 67 API calls 84214->84215 84216 41e75d 84215->84216 84216->84212 84217 41453a __fileno 67 API calls 84216->84217 84218 41e769 84217->84218 84219 41453a __fileno 67 API calls 84218->84219 84219->84212 84220->84155 84222->84164 84223->84155 84224->84155 84226 41e813 84225->84226 84227 41e7f8 84225->84227 84228 41e822 84226->84228 84230 41e849 84226->84230 84229 417f36 __locking 67 API calls 84227->84229 84231 417f36 __locking 67 API calls 84228->84231 84232 41e7fd 84229->84232 84234 41e868 84230->84234 84245 41e87c 84230->84245 84233 41e827 84231->84233 84235 417f23 _fprintf 67 API calls 84232->84235 84237 417f23 _fprintf 67 API calls 84233->84237 84238 417f36 __locking 67 API calls 84234->84238 84246 41e805 84235->84246 84236 41e8d4 84240 417f36 __locking 67 API calls 84236->84240 84239 41e82e 84237->84239 84241 41e86d 84238->84241 84242 417ebb _fprintf 6 API calls 84239->84242 84243 41e8d9 84240->84243 84244 417f23 _fprintf 67 API calls 84241->84244 84242->84246 84247 417f23 _fprintf 67 API calls 84243->84247 84248 41e874 84244->84248 84245->84236 84245->84246 84249 41e8b0 84245->84249 84251 41e8f5 84245->84251 84246->84197 84247->84248 84250 417ebb _fprintf 6 API calls 84248->84250 84249->84236 84254 41e8bb ReadFile 84249->84254 84250->84246 84253 416fb6 __malloc_crt 67 API calls 84251->84253 84255 41e90b 84253->84255 84256 41ed62 GetLastError 84254->84256 84257 41e9e7 84254->84257 84260 41e931 84255->84260 84261 41e913 84255->84261 84258 41ebe8 84256->84258 84259 41ed6f 84256->84259 84257->84256 84264 41e9fb 84257->84264 84268 417f49 __dosmaperr 67 API calls 84258->84268 84273 41eb6d 84258->84273 84262 417f23 _fprintf 67 API calls 84259->84262 84265 423462 __lseeki64_nolock 69 API calls 84260->84265 84263 417f23 _fprintf 67 API calls 84261->84263 84266 41ed74 84262->84266 84267 41e918 84263->84267 84264->84273 84274 41ea17 84264->84274 84277 41ec2d 84264->84277 84269 41e93d 84265->84269 84270 417f36 __locking 67 API calls 84266->84270 84271 417f36 __locking 67 API calls 84267->84271 84268->84273 84269->84254 84270->84273 84271->84246 84272 413a88 ___convertcp 67 API calls 84272->84246 84273->84246 84273->84272 84275 41ea7d ReadFile 84274->84275 84282 41eafa 84274->84282 84280 41ea9b GetLastError 84275->84280 84285 41eaa5 84275->84285 84276 41eca5 ReadFile 84278 41ecc4 GetLastError 84276->84278 84286 41ecce 84276->84286 84277->84273 84277->84276 84278->84277 84278->84286 84279 41ebbe MultiByteToWideChar 84279->84273 84281 41ebe2 GetLastError 84279->84281 84280->84274 84280->84285 84281->84258 84282->84273 84283 41eb75 84282->84283 84284 41eb68 84282->84284 84290 41eb32 84282->84290 84283->84290 84291 41ebac 84283->84291 84287 417f23 _fprintf 67 API calls 84284->84287 84285->84274 84288 423462 __lseeki64_nolock 69 API calls 84285->84288 84286->84277 84289 423462 __lseeki64_nolock 69 API calls 84286->84289 84287->84273 84288->84285 84289->84286 84290->84279 84292 423462 __lseeki64_nolock 69 API calls 84291->84292 84293 41ebbb 84292->84293 84293->84279 84294->84176 84295->84190 84296->84180 84297->84186 84299->84187 84300->84186 84301->84196 84302->84197 84303->84190 84305 416fb6 __malloc_crt 67 API calls 84304->84305 84306 423615 84305->84306 84306->84206 84307->84203 84312 414cef GetSystemTimeAsFileTime __aulldiv 84309->84312 84311 4431ef 84311->83799 84312->84311 84313->83806 84315->83812 84317 4523e1 _wcscpy 84316->84317 84318 4151b0 81 API calls __fread_nolock 84317->84318 84319 44afdc GetSystemTimeAsFileTime 84317->84319 84320 452553 84317->84320 84321 41557c 105 API calls _fseek 84317->84321 84318->84317 84319->84317 84320->83721 84320->83722 84321->84317 84323 44b1a6 84322->84323 84325 44b1b4 84322->84325 84324 414e06 138 API calls 84323->84324 84324->84325 84326 44b1ca 84325->84326 84327 414e06 138 API calls 84325->84327 84328 44b1c2 84325->84328 84357 4352d1 81 API calls 2 library calls 84326->84357 84329 44b2c1 84327->84329 84328->83748 84329->84326 84331 44b2cf 84329->84331 84333 44b2dc 84331->84333 84337 414e94 __fcloseall 106 API calls 84331->84337 84332 44b20d 84334 44b211 84332->84334 84335 44b23b 84332->84335 84333->83748 84336 44b21e 84334->84336 84339 414e94 __fcloseall 106 API calls 84334->84339 84358 43526e 84335->84358 84340 44b22e 84336->84340 84342 414e94 __fcloseall 106 API calls 84336->84342 84337->84333 84339->84336 84340->83748 84341 44b242 84343 44b270 84341->84343 84344 44b248 84341->84344 84342->84340 84368 44b0af 111 API calls 84343->84368 84346 44b255 84344->84346 84349 414e94 __fcloseall 106 API calls 84344->84349 84347 44b265 84346->84347 84350 414e94 __fcloseall 106 API calls 84346->84350 84347->83748 84348 44b276 84369 43522c 84348->84369 84349->84346 84350->84347 84353 44b289 84355 44b299 84353->84355 84356 414e94 __fcloseall 106 API calls 84353->84356 84354 414e94 __fcloseall 106 API calls 84354->84353 84355->83748 84356->84355 84357->84332 84359 4138ba _malloc 67 API calls 84358->84359 84360 43527d 84359->84360 84361 4138ba _malloc 67 API calls 84360->84361 84362 43528d 84361->84362 84363 4138ba _malloc 67 API calls 84362->84363 84364 43529d 84363->84364 84365 43522c 67 API calls 84364->84365 84366 4352bc 84364->84366 84367 4352c8 84365->84367 84366->84341 84367->84341 84368->84348 84370 435241 84369->84370 84371 43523b 84369->84371 84373 413a88 ___convertcp 67 API calls 84370->84373 84374 435254 84370->84374 84372 413a88 ___convertcp 67 API calls 84371->84372 84372->84370 84373->84374 84375 435267 84374->84375 84376 413a88 ___convertcp 67 API calls 84374->84376 84375->84353 84375->84354 84376->84375 84377->83627 84379 410148 SHGetDesktopFolder 84378->84379 84380 4101a3 _wcscpy 84378->84380 84379->84380 84381 41015a _wcscpy 84379->84381 84380->83631 84381->84380 84382 41018a SHGetPathFromIDListW 84381->84382 84382->84380 84383->83633 84385 40f5e0 152 API calls 84384->84385 84386 40f417 84385->84386 84387 42ca37 84386->84387 84389 40f42c 84386->84389 84390 42ca1f 84386->84390 84388 452574 140 API calls 84387->84388 84391 42ca50 84388->84391 84422 4037e0 139 API calls 7 library calls 84389->84422 84423 43717f 110 API calls _printf 84390->84423 84394 42ca76 84391->84394 84395 42ca54 84391->84395 84399 41171a 75 API calls 84394->84399 84398 434fe1 106 API calls 84395->84398 84396 40f446 84396->83629 84397 42ca2d 84397->84387 84400 42ca5e 84398->84400 84409 42cacc ctype 84399->84409 84424 43717f 110 API calls _printf 84400->84424 84402 42ca6c 84402->84394 84403 42ccc3 84404 413a88 ___convertcp 67 API calls 84403->84404 84405 42cccd 84404->84405 84406 434fe1 106 API calls 84405->84406 84407 42ccda 84406->84407 84409->84403 84412 401b70 75 API calls 84409->84412 84415 402cc0 75 API calls 2 library calls 84409->84415 84416 4026a0 84409->84416 84425 445051 75 API calls _realloc 84409->84425 84426 44c80c 87 API calls 3 library calls 84409->84426 84427 44b408 75 API calls 84409->84427 84412->84409 84415->84409 84417 4026af 84416->84417 84419 40276b 84416->84419 84418 41171a 75 API calls 84417->84418 84417->84419 84420 4026ee ctype 84417->84420 84418->84420 84419->84409 84420->84419 84421 41171a 75 API calls 84420->84421 84421->84420 84422->84396 84423->84397 84424->84402 84425->84409 84426->84409 84427->84409 84428->83641 84429->83640 84430 40e2428 84444 40e0048 84430->84444 84432 40e24dd 84447 40e2318 84432->84447 84434 40e2506 CreateFileW 84436 40e255a 84434->84436 84437 40e2555 84434->84437 84436->84437 84438 40e2571 VirtualAlloc 84436->84438 84438->84437 84439 40e2592 ReadFile 84438->84439 84439->84437 84440 40e25ad 84439->84440 84441 40e10b8 12 API calls 84440->84441 84442 40e25c7 84441->84442 84443 40e1318 GetPEB GetPEB 84442->84443 84443->84437 84446 40e06d3 84444->84446 84450 40e3528 GetPEB 84444->84450 84446->84432 84448 40e2321 Sleep 84447->84448 84449 40e232f 84448->84449 84450->84446 84451 444343 84454 444326 84451->84454 84453 44434e WriteFile 84455 444340 84454->84455 84456 4442c7 84454->84456 84455->84453 84461 40e190 SetFilePointerEx 84456->84461 84458 4442e0 SetFilePointerEx 84462 40e190 SetFilePointerEx 84458->84462 84460 4442ff 84460->84453 84461->84458 84462->84460 84463 46d22f 84466 46d098 84463->84466 84465 46d241 84467 46d0b5 84466->84467 84468 46d115 84467->84468 84469 46d0b9 84467->84469 84517 45c216 78 API calls 84468->84517 84471 41171a 75 API calls 84469->84471 84473 46d0c0 84471->84473 84472 46d126 84475 46d0f8 84472->84475 84481 46d142 84472->84481 84474 46d0cc 84473->84474 84510 40d940 76 API calls 84473->84510 84511 453063 84474->84511 84477 4092c0 VariantClear 84475->84477 84479 46d0fd 84477->84479 84479->84465 84482 46d1c8 84481->84482 84485 46d158 84481->84485 84523 4676a3 78 API calls 84482->84523 84488 453063 111 API calls 84485->84488 84486 46d0ea 84486->84481 84489 46d0ee 84486->84489 84487 46d1ce 84524 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84487->84524 84497 46d15e 84488->84497 84489->84475 84516 44ade5 CloseHandle ctype 84489->84516 84490 46d18d 84518 467fce 82 API calls 84490->84518 84494 46d196 84519 4013a0 75 API calls 84494->84519 84495 46d1e7 84499 4092c0 VariantClear 84495->84499 84502 46d194 84495->84502 84497->84490 84497->84494 84498 46d1a2 84520 40df50 75 API calls 84498->84520 84499->84502 84501 46d1ac 84521 40d3b0 75 API calls 2 library calls 84501->84521 84504 46d224 84502->84504 84506 40d900 CloseHandle 84502->84506 84504->84465 84505 46d1b8 84522 467fce 82 API calls 84505->84522 84508 46d216 84506->84508 84525 44ade5 CloseHandle ctype 84508->84525 84510->84474 84512 45306e 84511->84512 84513 45307a 84511->84513 84512->84513 84526 452e2a 111 API calls 5 library calls 84512->84526 84515 40dfa0 83 API calls 84513->84515 84515->84486 84516->84475 84517->84472 84518->84502 84519->84498 84520->84501 84521->84505 84522->84502 84523->84487 84524->84495 84525->84504 84526->84513 84527 40116e 84528 401119 DefWindowProcW 84527->84528 84529 40f110 RegOpenKeyExW 84530 40f13c RegQueryValueExW RegCloseKey 84529->84530 84531 40f15f 84529->84531 84530->84531 84532 429212 84537 410b90 84532->84537 84535 411421 __cinit 74 API calls 84536 42922f 84535->84536 84538 410b9a __write_nolock 84537->84538 84539 41171a 75 API calls 84538->84539 84540 410c31 GetModuleFileNameW 84539->84540 84554 413db0 84540->84554 84542 410c66 _wcsncat 84557 413e3c 84542->84557 84545 41171a 75 API calls 84546 410ca3 _wcscpy 84545->84546 84547 410cd1 RegOpenKeyExW 84546->84547 84548 429bc3 RegQueryValueExW 84547->84548 84549 410cf7 84547->84549 84550 429cd9 RegCloseKey 84548->84550 84551 429bf2 _wcscat _wcslen _wcsncpy 84548->84551 84549->84535 84552 41171a 75 API calls 84551->84552 84553 429cd8 84551->84553 84552->84551 84553->84550 84560 413b95 84554->84560 84590 41abec 84557->84590 84561 413c2f 84560->84561 84567 413bae 84560->84567 84562 413d60 84561->84562 84563 413d7b 84561->84563 84586 417f23 67 API calls __getptd_noexit 84562->84586 84588 417f23 67 API calls __getptd_noexit 84563->84588 84566 413d65 84571 413cfb 84566->84571 84587 417ebb 6 API calls 2 library calls 84566->84587 84567->84561 84576 413c1d 84567->84576 84582 41ab19 67 API calls _fprintf 84567->84582 84570 413d03 84570->84561 84570->84571 84573 413d8e 84570->84573 84571->84542 84572 413cb9 84572->84561 84574 413cd6 84572->84574 84584 41ab19 67 API calls _fprintf 84572->84584 84589 41ab19 67 API calls _fprintf 84573->84589 84574->84561 84574->84571 84577 413cef 84574->84577 84576->84561 84581 413c9b 84576->84581 84583 41ab19 67 API calls _fprintf 84576->84583 84585 41ab19 67 API calls _fprintf 84577->84585 84581->84570 84581->84572 84582->84576 84583->84581 84584->84574 84585->84571 84586->84566 84588->84566 84589->84571 84591 41ac02 84590->84591 84592 41abfd 84590->84592 84599 417f23 67 API calls __getptd_noexit 84591->84599 84592->84591 84598 41ac22 84592->84598 84596 410c99 84596->84545 84597 41ac07 84600 417ebb 6 API calls 2 library calls 84597->84600 84598->84596 84601 417f23 67 API calls __getptd_noexit 84598->84601 84599->84597 84601->84597 84602 401230 84603 401241 _memset 84602->84603 84604 4012c5 84602->84604 84617 401be0 84603->84617 84606 40126b 84607 4012ae KillTimer SetTimer 84606->84607 84608 42aa61 84606->84608 84609 401298 84606->84609 84607->84604 84612 42aa8b Shell_NotifyIconW 84608->84612 84613 42aa69 Shell_NotifyIconW 84608->84613 84610 4012a2 84609->84610 84611 42aaac 84609->84611 84610->84607 84616 42aaf8 Shell_NotifyIconW 84610->84616 84614 42aad7 Shell_NotifyIconW 84611->84614 84615 42aab5 Shell_NotifyIconW 84611->84615 84612->84607 84613->84607 84614->84607 84615->84607 84616->84607 84618 401bfb 84617->84618 84638 401cde 84617->84638 84639 4013a0 75 API calls 84618->84639 84620 401c0b 84621 42a9a0 LoadStringW 84620->84621 84622 401c18 84620->84622 84624 42a9bb 84621->84624 84640 4021e0 84622->84640 84653 40df50 75 API calls 84624->84653 84625 401c2d 84627 401c3a 84625->84627 84628 42a9cd 84625->84628 84627->84624 84629 401c44 84627->84629 84654 40d3b0 75 API calls 2 library calls 84628->84654 84652 40d3b0 75 API calls 2 library calls 84629->84652 84632 42a9dc 84633 42a9f0 84632->84633 84635 401c53 _memset _wcscpy _wcsncpy 84632->84635 84655 40d3b0 75 API calls 2 library calls 84633->84655 84637 401cc2 Shell_NotifyIconW 84635->84637 84636 42a9fe 84637->84638 84638->84606 84639->84620 84641 4021f1 _wcslen 84640->84641 84642 42a598 84640->84642 84645 402205 84641->84645 84646 402226 84641->84646 84658 40c740 84642->84658 84644 42a5a2 84656 404020 75 API calls ctype 84645->84656 84657 401380 75 API calls 84646->84657 84649 40222d 84649->84644 84651 41171a 75 API calls 84649->84651 84650 40220c _realloc 84650->84625 84651->84650 84652->84635 84653->84635 84654->84632 84655->84636 84656->84650 84657->84649 84659 40c752 84658->84659 84660 40c747 84658->84660 84659->84644 84660->84659 84663 402ae0 75 API calls _realloc 84660->84663 84662 42a572 _realloc 84662->84644 84663->84662 84664 4034b0 84665 4034b9 84664->84665 84666 4034bd 84664->84666 84667 42a0ba 84666->84667 84668 41171a 75 API calls 84666->84668 84669 4034fe _realloc ctype 84668->84669 84670 431914 84671 431920 84670->84671 84672 431928 84671->84672 84673 43193d 84671->84673 84934 45e62e 116 API calls 3 library calls 84672->84934 84935 47f2b4 174 API calls 84673->84935 84676 43194a 84711 4095b0 ctype 84676->84711 84936 45e62e 116 API calls 3 library calls 84676->84936 84677 409708 84680 4097af 84680->84677 84921 40d590 VariantClear 84680->84921 84682 4315b8 WaitForSingleObject 84684 4315d6 GetExitCodeProcess CloseHandle 84682->84684 84682->84711 84683 431623 Sleep 84686 43163b timeGetTime 84683->84686 84707 409894 84683->84707 84925 40d590 VariantClear 84684->84925 84686->84707 84690 40986e Sleep 84692 409880 timeGetTime 84690->84692 84690->84707 84692->84707 84693 4098f1 TranslateMessage DispatchMessageW 84693->84711 84694 431673 CloseHandle 84694->84707 84695 43170c GetExitCodeProcess CloseHandle 84695->84707 84696 40d590 VariantClear 84696->84707 84697 46dd22 133 API calls 84697->84707 84699 46e641 134 API calls 84699->84707 84702 431781 Sleep 84702->84711 84707->84694 84707->84695 84707->84696 84707->84697 84707->84699 84707->84702 84707->84711 84713 4092c0 VariantClear 84707->84713 84922 447e59 75 API calls 84707->84922 84923 453b07 77 API calls 84707->84923 84924 4646a2 76 API calls 84707->84924 84926 444233 88 API calls _wcslen 84707->84926 84927 457509 VariantClear 84707->84927 84928 404120 84707->84928 84932 4717e3 VariantClear 84707->84932 84933 436272 6 API calls 84707->84933 84710 4092c0 VariantClear 84710->84711 84711->84677 84711->84680 84711->84682 84711->84683 84711->84690 84711->84693 84711->84707 84711->84710 84712 4319c9 VariantClear 84711->84712 84714 45e62e 116 API calls 84711->84714 84716 40b380 84711->84716 84740 409340 84711->84740 84773 409030 84711->84773 84787 40d300 84711->84787 84792 40d320 84711->84792 84798 409a40 84711->84798 84937 40e380 VariantClear ctype 84711->84937 84712->84711 84713->84707 84714->84711 84717 40b3a5 84716->84717 84718 40b53d 84716->84718 84721 40b3b6 84717->84721 84722 430a99 84717->84722 84938 45e62e 116 API calls 3 library calls 84718->84938 84723 430aae 84721->84723 84728 40b3f2 84721->84728 84739 40b4fd ctype 84721->84739 84939 45e62e 116 API calls 3 library calls 84722->84939 84727 4092c0 VariantClear 84723->84727 84724 40b528 84724->84711 84726 430dc9 84726->84726 84727->84724 84729 40b429 84728->84729 84731 430ae9 VariantClear 84728->84731 84732 40b476 ctype 84728->84732 84737 40b43b ctype 84729->84737 84940 40e380 VariantClear ctype 84729->84940 84730 40b4eb 84730->84739 84941 40e380 VariantClear ctype 84730->84941 84731->84737 84732->84730 84734 430d08 ctype 84732->84734 84733 430d41 VariantClear 84733->84739 84734->84733 84734->84739 84737->84732 84738 41171a 75 API calls 84737->84738 84738->84732 84739->84724 84942 45e62e 116 API calls 3 library calls 84739->84942 84741 409386 84740->84741 84766 409395 84740->84766 84943 4042f0 75 API calls __cinit 84741->84943 84744 42fba9 84947 45e62e 116 API calls 3 library calls 84744->84947 84746 42fc07 84949 45e62e 116 API calls 3 library calls 84746->84949 84748 42fc85 84951 4781ae 140 API calls 84748->84951 84750 42fcd8 84953 47f2b4 174 API calls 84750->84953 84752 42fd4f 84754 4092c0 VariantClear 84752->84754 84772 409484 ctype 84754->84772 84755 42fc9c 84755->84772 84952 45e62e 116 API calls 3 library calls 84755->84952 84756 42fd39 84955 45e62e 116 API calls 3 library calls 84756->84955 84758 42fce9 84758->84772 84954 45e62e 116 API calls 3 library calls 84758->84954 84759 40946f 84944 409210 VariantClear 84759->84944 84762 40947b 84767 4092c0 VariantClear 84762->84767 84764 4094c1 84764->84772 84945 404260 76 API calls 84764->84945 84766->84744 84766->84746 84766->84748 84766->84750 84766->84752 84766->84756 84766->84759 84766->84762 84766->84764 84768 4092c0 VariantClear 84766->84768 84766->84772 84946 453155 75 API calls 84766->84946 84948 40c620 118 API calls 84766->84948 84950 45e62e 116 API calls 3 library calls 84766->84950 84767->84772 84768->84766 84770 4094e1 84771 4092c0 VariantClear 84770->84771 84771->84772 84772->84711 84956 409110 117 API calls 84773->84956 84775 42ceb6 84966 410ae0 VariantClear ctype 84775->84966 84777 40906e 84777->84775 84779 42cea9 84777->84779 84781 4090a4 84777->84781 84778 42cebf 84965 45e62e 116 API calls 3 library calls 84779->84965 84957 404160 84781->84957 84784 4090f0 ctype 84784->84711 84785 4092c0 VariantClear 84786 4090be ctype 84785->84786 84786->84784 84786->84785 84788 4292e3 84787->84788 84789 40d30c 84787->84789 84790 429323 84788->84790 84791 4292fd TranslateAcceleratorW 84788->84791 84789->84711 84790->84711 84791->84789 84793 4296d0 84792->84793 84796 40d32f 84792->84796 84793->84711 84794 40d33c 84794->84711 84795 42972a IsDialogMessageW 84795->84794 84795->84796 84796->84794 84796->84795 85101 4340ec GetClassLongW 84796->85101 84799 409a66 _wcslen 84798->84799 84800 41171a 75 API calls 84799->84800 84860 40aade _realloc ctype 84799->84860 84801 409a9c _realloc 84800->84801 84803 41171a 75 API calls 84801->84803 84805 409abd 84803->84805 84804 42cee9 84807 41171a 75 API calls 84804->84807 84806 409aeb CharUpperBuffW 84805->84806 84810 409b09 ctype 84805->84810 84805->84860 84806->84810 84816 42cf10 _realloc 84807->84816 84845 409b88 ctype 84810->84845 85104 47d10e 150 API calls 84810->85104 84811 42dbb9 84812 4092c0 VariantClear 84811->84812 84813 42e5e0 84812->84813 85136 410ae0 VariantClear ctype 84813->85136 84815 42e5f2 85135 45e62e 116 API calls 3 library calls 84816->85135 84817 409e4a 84817->84816 84819 41171a 75 API calls 84817->84819 84823 409ea4 84817->84823 84818 40aa5b 84820 41171a 75 API calls 84818->84820 84819->84823 84836 40aa81 _realloc ctype 84820->84836 84821 409ed0 84825 42d50d 84821->84825 84887 409ef8 _realloc ctype 84821->84887 85114 40b800 VariantClear VariantClear ctype 84821->85114 84823->84821 84824 41171a 75 API calls 84823->84824 84826 42d480 84824->84826 84831 42d527 84825->84831 85115 40b800 VariantClear VariantClear ctype 84825->85115 84830 42d491 84826->84830 85110 44b3f6 75 API calls 84826->85110 84827 42d195 VariantClear 84827->84845 84828 40a3a7 84833 40a415 84828->84833 84882 42db5c 84828->84882 85111 40df50 75 API calls 84830->85111 84831->84887 85116 40e2e0 VariantClear ctype 84831->85116 84838 41171a 75 API calls 84833->84838 84834 4092c0 VariantClear 84834->84845 84844 41171a 75 API calls 84836->84844 84856 40a41c 84838->84856 84841 41171a 75 API calls 84841->84845 84844->84860 84845->84811 84845->84816 84845->84817 84845->84818 84845->84827 84845->84834 84845->84836 84845->84841 84850 42d128 84845->84850 84853 42d20c 84845->84853 85105 40c3e0 75 API calls 84845->85105 85106 40c620 118 API calls 84845->85106 85108 40be00 75 API calls 2 library calls 84845->85108 85109 40e380 VariantClear ctype 84845->85109 84846 42d4a6 85112 4530b3 75 API calls 84846->85112 84848 42db96 85122 45e62e 116 API calls 3 library calls 84848->85122 84852 4092c0 VariantClear 84850->84852 84851 42d4d7 85113 4530b3 75 API calls 84851->85113 84858 42d131 84852->84858 84853->84711 84868 40a481 84856->84868 85123 40c8a0 VariantClear ctype 84856->85123 85107 410ae0 VariantClear ctype 84858->85107 85103 401380 75 API calls 84860->85103 84862 41171a 75 API calls 84862->84887 84863 402cc0 75 API calls 84863->84887 84864 44b3f6 75 API calls 84864->84887 84866 4092c0 VariantClear 84892 40a534 _realloc ctype 84866->84892 84867 411421 74 API calls __cinit 84867->84887 84869 40a4ed 84868->84869 84870 42dc1e VariantClear 84868->84870 84868->84892 84874 40a4ff ctype 84869->84874 85124 40e380 VariantClear ctype 84869->85124 84870->84874 84873 41171a 75 API calls 84873->84892 84874->84873 84874->84892 84878 42deb6 VariantClear 84878->84892 84879 40a73c 84881 42e237 84879->84881 84889 40a76b 84879->84889 84880 40e380 VariantClear 84880->84892 85128 46e709 VariantClear VariantClear ctype 84881->85128 85121 4721e5 VariantClear 84882->85121 84883 42df47 VariantClear 84883->84892 84884 42dfe9 VariantClear 84884->84892 84885 40a7a2 84898 40a7ad ctype 84885->84898 85129 40b800 VariantClear VariantClear ctype 84885->85129 84887->84828 84887->84848 84887->84860 84887->84862 84887->84863 84887->84864 84887->84867 84887->84882 84888 40a053 84887->84888 85117 45ee98 75 API calls 84887->85117 85118 4019e0 76 API calls 84887->85118 85119 404260 76 API calls 84887->85119 85120 409210 VariantClear 84887->85120 84888->84711 84889->84885 84912 40a800 ctype 84889->84912 85102 40b800 VariantClear VariantClear ctype 84889->85102 84892->84866 84892->84878 84892->84879 84892->84880 84892->84881 84892->84883 84892->84884 84895 41171a 75 API calls 84892->84895 84899 41171a 75 API calls 84892->84899 85125 46e9cd 75 API calls 84892->85125 85126 409210 VariantClear 84892->85126 85127 44cc6c VariantClear ctype 84892->85127 84893 40a8b0 84908 40a8c2 ctype 84893->84908 85131 40e380 VariantClear ctype 84893->85131 84894 42e312 84896 42e337 VariantClear 84894->84896 84894->84908 84897 42dd10 VariantInit VariantCopy 84895->84897 84896->84908 84897->84892 84903 42dd30 VariantClear 84897->84903 84900 40a7ee 84898->84900 84904 42e2a7 VariantClear 84898->84904 84898->84912 84899->84892 84900->84912 85130 40e380 VariantClear ctype 84900->85130 84902 42e3b2 84907 42e3da VariantClear 84902->84907 84913 40a91a ctype 84902->84913 84903->84892 84904->84912 84905 40a908 84905->84913 85132 40e380 VariantClear ctype 84905->85132 84907->84913 84908->84902 84908->84905 84910 42e47f 84915 42e4a3 VariantClear 84910->84915 84920 40a957 ctype 84910->84920 84912->84893 84912->84894 84913->84910 84914 40a945 84913->84914 84914->84920 85133 40e380 VariantClear ctype 84914->85133 84915->84920 84917 40aa22 ctype 84917->84711 84918 42e559 VariantClear 84918->84920 84920->84917 84920->84918 85134 40e380 VariantClear ctype 84920->85134 84921->84677 84922->84707 84923->84707 84924->84707 84925->84707 84926->84707 84927->84707 84929 40412e 84928->84929 84930 4092c0 VariantClear 84929->84930 84931 404138 84930->84931 84931->84702 84932->84707 84933->84707 84934->84711 84935->84676 84936->84711 84937->84711 84938->84722 84939->84723 84940->84737 84941->84739 84942->84726 84943->84766 84944->84762 84945->84770 84946->84766 84947->84772 84948->84766 84949->84772 84950->84766 84951->84755 84952->84772 84953->84758 84954->84772 84955->84752 84956->84777 84958 4092c0 VariantClear 84957->84958 84959 40416e 84958->84959 84960 404120 VariantClear 84959->84960 84961 40419b 84960->84961 84967 4734b7 84961->84967 85011 40efe0 84961->85011 84962 4041c6 84962->84775 84962->84786 84965->84775 84966->84778 84968 453063 111 API calls 84967->84968 84969 4734d7 84968->84969 84970 473545 84969->84970 84971 47350c 84969->84971 85019 463c42 84970->85019 84972 4092c0 VariantClear 84971->84972 84978 473514 84972->84978 84974 473558 84975 47355c 84974->84975 84992 473595 84974->84992 84977 4092c0 VariantClear 84975->84977 84976 473616 85032 463d7e 84976->85032 84985 473564 84977->84985 84978->84962 84980 453063 111 API calls 84980->84992 84981 473622 84982 473697 84981->84982 84983 47362c 84981->84983 85066 457838 84982->85066 84984 4092c0 VariantClear 84983->84984 84989 473634 84984->84989 84985->84962 84989->84962 84991 473655 84994 4092c0 VariantClear 84991->84994 84992->84976 84992->84980 84992->84991 85078 462f5a 87 API calls __wcsicoll 84992->85078 85006 47365d 84994->85006 84995 4736b0 85079 45e62e 116 API calls 3 library calls 84995->85079 84996 4736c9 85080 40e7e0 76 API calls 84996->85080 84999 4736ba GetCurrentProcess TerminateProcess 84999->84996 85000 4736db 85007 4736ff 85000->85007 85081 40d030 76 API calls 85000->85081 85002 473731 85008 473744 FreeLibrary 85002->85008 85009 47374b 85002->85009 85003 4736f1 85082 46b945 134 API calls 2 library calls 85003->85082 85006->84962 85007->85002 85083 40d030 76 API calls 85007->85083 85084 46b945 134 API calls 2 library calls 85007->85084 85008->85009 85009->84962 85012 40eff5 CreateFileW 85011->85012 85013 4299bf 85011->85013 85014 40f017 85012->85014 85013->85014 85015 4299c4 CreateFileW 85013->85015 85014->84962 85015->85014 85016 4299ea 85015->85016 85100 40e0d0 SetFilePointerEx SetFilePointerEx 85016->85100 85018 4299f5 85018->85014 85085 45335b 76 API calls 85019->85085 85021 463c5d 85086 442c52 80 API calls _wcslen 85021->85086 85023 463c72 85025 40c060 75 API calls 85023->85025 85031 463cac 85023->85031 85026 463c8e 85025->85026 85087 4608ce 75 API calls _realloc 85026->85087 85028 463ca4 85030 40c740 75 API calls 85028->85030 85029 463cf7 85029->84974 85030->85031 85031->85029 85088 462f5a 87 API calls __wcsicoll 85031->85088 85033 453063 111 API calls 85032->85033 85034 463d99 85033->85034 85035 463de0 85034->85035 85036 463dca 85034->85036 85090 40c760 78 API calls 85035->85090 85089 453081 111 API calls 85036->85089 85039 463de7 85045 463e19 85039->85045 85091 40c760 78 API calls 85039->85091 85040 463dd0 LoadLibraryW 85041 463e09 85040->85041 85043 463e3e 85041->85043 85041->85045 85046 463e4e 85043->85046 85047 463e7b 85043->85047 85044 463dfb 85044->85045 85092 40c760 78 API calls 85044->85092 85045->84981 85093 40d500 75 API calls 85046->85093 85095 40c760 78 API calls 85047->85095 85051 463e57 85094 45efe7 77 API calls ctype 85051->85094 85052 463e82 GetProcAddress 85055 463e90 85052->85055 85054 463e62 GetProcAddress 85057 463e79 85054->85057 85055->85045 85056 463edf 85055->85056 85055->85057 85056->85045 85060 463eef FreeLibrary 85056->85060 85057->85055 85096 403470 75 API calls _realloc 85057->85096 85059 463eb4 85097 40d500 75 API calls 85059->85097 85060->85045 85062 463ebd 85098 45efe7 77 API calls ctype 85062->85098 85064 463ec8 GetProcAddress 85099 401330 ctype 85064->85099 85067 457a4c 85066->85067 85073 45785f _strcat _wcslen _wcscpy ctype 85066->85073 85074 410d40 85067->85074 85068 443576 78 API calls 85068->85073 85069 40c760 78 API calls 85069->85073 85070 4138ba 67 API calls _malloc 85070->85073 85071 453081 111 API calls 85071->85073 85072 40f580 77 API calls 85072->85073 85073->85067 85073->85068 85073->85069 85073->85070 85073->85071 85073->85072 85075 410d55 85074->85075 85076 410ded VirtualProtect 85075->85076 85077 410dbb 85075->85077 85076->85077 85077->84995 85077->84996 85078->84992 85079->84999 85080->85000 85081->85003 85082->85007 85083->85007 85084->85007 85085->85021 85086->85023 85087->85028 85088->85029 85089->85040 85090->85039 85091->85044 85092->85041 85093->85051 85094->85054 85095->85052 85096->85059 85097->85062 85098->85064 85099->85056 85100->85018 85101->84796 85102->84885 85103->84804 85104->84810 85105->84845 85106->84845 85107->84917 85108->84845 85109->84845 85110->84830 85111->84846 85112->84851 85113->84821 85114->84825 85115->84831 85116->84887 85117->84887 85118->84887 85119->84887 85120->84887 85121->84848 85122->84811 85123->84856 85124->84874 85125->84892 85126->84892 85127->84892 85128->84885 85129->84898 85130->84912 85131->84908 85132->84913 85133->84920 85134->84920 85135->84811 85136->84815 85137 42919b 85142 40ef10 85137->85142 85140 411421 __cinit 74 API calls 85141 4291aa 85140->85141 85143 41171a 75 API calls 85142->85143 85144 40ef17 85143->85144 85145 42ad48 85144->85145 85150 40ef40 74 API calls __cinit 85144->85150 85147 40ef2a 85151 40e470 85147->85151 85150->85147 85152 40c060 75 API calls 85151->85152 85153 40e483 GetVersionExW 85152->85153 85154 4021e0 75 API calls 85153->85154 85155 40e4bb 85154->85155 85177 40e600 85155->85177 85161 42accc 85163 42ad28 GetSystemInfo 85161->85163 85167 42ad38 GetSystemInfo 85163->85167 85164 40e557 GetCurrentProcess 85197 40ee30 LoadLibraryA GetProcAddress 85164->85197 85165 40e56c 85165->85167 85190 40eee0 85165->85190 85170 40e5c9 85194 40eea0 85170->85194 85173 40e5e0 85175 40e5f1 FreeLibrary 85173->85175 85176 40e5f4 85173->85176 85174 40e5dd FreeLibrary 85174->85173 85175->85176 85176->85140 85178 40e60b 85177->85178 85179 40c740 75 API calls 85178->85179 85180 40e4c2 85179->85180 85181 40e620 85180->85181 85182 40e62a 85181->85182 85183 42ac93 85182->85183 85184 40c740 75 API calls 85182->85184 85185 40e4ce 85184->85185 85185->85161 85186 40ee70 85185->85186 85187 40e551 85186->85187 85188 40ee76 LoadLibraryA 85186->85188 85187->85164 85187->85165 85188->85187 85189 40ee87 GetProcAddress 85188->85189 85189->85187 85191 40e5bf 85190->85191 85192 40eee6 LoadLibraryA 85190->85192 85191->85163 85191->85170 85192->85191 85193 40eef7 GetProcAddress 85192->85193 85193->85191 85198 40eec0 LoadLibraryA GetProcAddress 85194->85198 85196 40e5d3 GetNativeSystemInfo 85196->85173 85196->85174 85197->85165 85198->85196 85199 42e89e 85206 40c000 85199->85206 85201 42e8ac 85202 409a40 165 API calls 85201->85202 85203 42e8ca 85202->85203 85217 44b92e VariantClear 85203->85217 85205 42f3ae 85207 40c014 85206->85207 85208 40c007 85206->85208 85210 40c01a 85207->85210 85211 40c02c 85207->85211 85218 409210 VariantClear 85208->85218 85219 409210 VariantClear 85210->85219 85214 41171a 75 API calls 85211->85214 85212 40c00f 85212->85201 85216 40c033 85214->85216 85215 40c023 85215->85201 85216->85201 85217->85205 85218->85212 85219->85215

                                                          Executed Functions

                                                          Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00409A61
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID: 0vH$4RH
                                                          • API String ID: 1143807570-2085553193
                                                          • Opcode ID: 46287a7bb28814e7acc9e24331a329a483cab8fdfa0313037193f1b97064f243
                                                          • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                          • Opcode Fuzzy Hash: 46287a7bb28814e7acc9e24331a329a483cab8fdfa0313037193f1b97064f243
                                                          • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                          Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1266 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1275 40e506-40e509 1266->1275 1276 42accc-42acd1 1266->1276 1277 40e540-40e555 call 40ee70 1275->1277 1278 40e50b-40e51c 1275->1278 1279 42acd3-42acdb 1276->1279 1280 42acdd-42ace0 1276->1280 1297 40e557-40e573 GetCurrentProcess call 40ee30 1277->1297 1298 40e579-40e5a8 1277->1298 1281 40e522-40e525 1278->1281 1282 42ac9b-42aca7 1278->1282 1284 42ad12-42ad20 1279->1284 1285 42ace2-42aceb 1280->1285 1286 42aced-42acf0 1280->1286 1281->1277 1288 40e527-40e537 1281->1288 1290 42acb2-42acba 1282->1290 1291 42aca9-42acad 1282->1291 1296 42ad28-42ad2d GetSystemInfo 1284->1296 1285->1284 1286->1284 1287 42acf2-42ad06 1286->1287 1292 42ad08-42ad0c 1287->1292 1293 42ad0e 1287->1293 1294 42acbf-42acc7 1288->1294 1295 40e53d 1288->1295 1290->1277 1291->1277 1292->1284 1293->1284 1294->1277 1295->1277 1300 42ad38-42ad3d GetSystemInfo 1296->1300 1297->1298 1308 40e575 1297->1308 1298->1300 1301 40e5ae-40e5c3 call 40eee0 1298->1301 1301->1296 1305 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1301->1305 1310 40e5e0-40e5ef 1305->1310 1311 40e5dd-40e5de FreeLibrary 1305->1311 1308->1298 1312 40e5f1-40e5f2 FreeLibrary 1310->1312 1313 40e5f4-40e5ff 1310->1313 1311->1310 1312->1313
                                                          APIs
                                                          • GetVersionExW.KERNEL32 ref: 0040E495
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                          • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                          • String ID: pMH
                                                          • API String ID: 2923339712-2522892712
                                                          • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                          • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                          • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                          • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                          Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: IsThemeActive$uxtheme.dll
                                                          • API String ID: 2574300362-3542929980
                                                          • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                          • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                          • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                          • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                          Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                          • __wsplitpath.LIBCMT ref: 00410C61
                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                          • _wcsncat.LIBCMT ref: 00410C78
                                                          • __wmakepath.LIBCMT ref: 00410C94
                                                            • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          • _wcscpy.LIBCMT ref: 00410CCC
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                          • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                          • _wcscat.LIBCMT ref: 00429C43
                                                          • _wcslen.LIBCMT ref: 00429C55
                                                          • _wcslen.LIBCMT ref: 00429C66
                                                          • _wcscat.LIBCMT ref: 00429C80
                                                          • _wcsncpy.LIBCMT ref: 00429CC0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                          • API String ID: 1004883554-2276155026
                                                          • Opcode ID: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                          • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                          • Opcode Fuzzy Hash: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                          • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                          Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                                                            • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                          • Sleep.KERNEL32(0000000A), ref: 00409870
                                                          • timeGetTime.WINMM ref: 00409880
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BuffCharSleepTimeUpper_wcslentime
                                                          • String ID:
                                                          • API String ID: 3219444185-0
                                                          • Opcode ID: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                          • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                                                          • Opcode Fuzzy Hash: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
                                                          • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                                                          Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1156 4161c2-4161d1 1157 4161d3-4161df 1156->1157 1158 4161fa 1156->1158 1157->1158 1159 4161e1-4161e8 1157->1159 1160 4161fd-416209 call 41aa31 1158->1160 1159->1158 1161 4161ea-4161f8 1159->1161 1164 416213-41621a call 416e29 1160->1164 1165 41620b-416212 call 41616a 1160->1165 1161->1160 1170 416224-416233 call 41843a call 41b669 1164->1170 1171 41621c-416223 call 41616a 1164->1171 1165->1164 1178 416235-41623c call 4117af 1170->1178 1179 41623d-416258 GetCommandLineW call 42235f call 4222b1 1170->1179 1171->1170 1178->1179 1186 416262-416269 call 422082 1179->1186 1187 41625a-416261 call 4117af 1179->1187 1192 416273-41627c call 41186e 1186->1192 1193 41626b-416272 call 4117af 1186->1193 1187->1186 1198 416285-41628d call 42203c 1192->1198 1199 41627e-416284 call 4117af 1192->1199 1193->1192 1204 416295-416297 1198->1204 1205 41628f-416293 1198->1205 1199->1198 1206 416298-4162a0 call 40d7f0 1204->1206 1205->1206 1208 4162a5-4162ab 1206->1208 1209 4162b3-41630f call 411a4b call 4171d1 1208->1209 1210 4162ad-4162ae call 411a1f 1208->1210 1210->1209
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                                          • String ID:
                                                          • API String ID: 2477803136-0
                                                          • Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                          • Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
                                                          • Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                          • Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D
                                                          Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                          • String ID: FILE
                                                          • API String ID: 3888824918-3121273764
                                                          • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                          • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                          • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                          • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                          Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32 ref: 00410326
                                                          • RegisterClassExW.USER32 ref: 00410359
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                          • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                          • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                          • ImageList_ReplaceIcon.COMCTL32(00C050F0,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                          • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                          • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                          • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                          Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                          • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                          • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                          • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                          • RegisterClassExW.USER32 ref: 004102C6
                                                            • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                            • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                            • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                            • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                            • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                            • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                            • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00C050F0,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$PGH
                                                          • API String ID: 423443420-3673556320
                                                          • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                          • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                          • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                          • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                          Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • _fseek.LIBCMT ref: 004525DA
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                          • __fread_nolock.LIBCMT ref: 00452618
                                                          • __fread_nolock.LIBCMT ref: 00452629
                                                          • __fread_nolock.LIBCMT ref: 00452644
                                                          • __fread_nolock.LIBCMT ref: 00452661
                                                          • _fseek.LIBCMT ref: 0045267D
                                                          • _malloc.LIBCMT ref: 00452689
                                                          • _malloc.LIBCMT ref: 00452696
                                                          • __fread_nolock.LIBCMT ref: 004526A7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                          • String ID:
                                                          • API String ID: 1911931848-0
                                                          • Opcode ID: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
                                                          • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                          • Opcode Fuzzy Hash: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
                                                          • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                          Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1356 40f450-40f45c call 425210 1359 40f460-40f478 1356->1359 1359->1359 1360 40f47a-40f4a8 call 413990 call 410f70 1359->1360 1365 40f4b0-40f4d1 call 4151b0 1360->1365 1368 40f531 1365->1368 1369 40f4d3-40f4da 1365->1369 1370 40f536-40f540 1368->1370 1371 40f4dc-40f4de 1369->1371 1372 40f4fd-40f517 call 41557c 1369->1372 1373 40f4e0-40f4e2 1371->1373 1376 40f51c-40f51f 1372->1376 1375 40f4e6-40f4ed 1373->1375 1377 40f521-40f52c 1375->1377 1378 40f4ef-40f4f2 1375->1378 1376->1365 1381 40f543-40f54e 1377->1381 1382 40f52e-40f52f 1377->1382 1379 42937a-4293a0 call 41557c call 4151b0 1378->1379 1380 40f4f8-40f4fb 1378->1380 1392 4293a5-4293c3 call 4151d0 1379->1392 1380->1372 1380->1373 1383 40f550-40f553 1381->1383 1384 40f555-40f560 1381->1384 1382->1378 1383->1378 1386 429372 1384->1386 1387 40f566-40f571 1384->1387 1386->1379 1389 429361-429367 1387->1389 1390 40f577-40f57a 1387->1390 1389->1375 1393 42936d 1389->1393 1390->1378 1392->1370 1393->1386
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock_fseek_strcat
                                                          • String ID: AU3!$EA06
                                                          • API String ID: 3818483258-2658333250
                                                          • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                          • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                          • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                          • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                          Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1396 410130-410142 SHGetMalloc 1397 410148-410158 SHGetDesktopFolder 1396->1397 1398 42944f-429459 call 411691 1396->1398 1400 4101d1-4101e0 1397->1400 1401 41015a-410188 call 411691 1397->1401 1400->1398 1406 4101e6-4101ee 1400->1406 1408 4101c5-4101ce 1401->1408 1409 41018a-4101a1 SHGetPathFromIDListW 1401->1409 1408->1400 1410 4101a3-4101b1 call 411691 1409->1410 1411 4101b4-4101c0 1409->1411 1410->1411 1411->1408
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                          • String ID: C:\Users\user\Desktop\CdbVaYf8jC.exe
                                                          • API String ID: 192938534-3042122580
                                                          • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                          • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                          • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                          • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                          Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1414 401230-40123b 1415 401241-401272 call 4131f0 call 401be0 1414->1415 1416 4012c5-4012cd 1414->1416 1421 401274-401292 1415->1421 1422 4012ae-4012bf KillTimer SetTimer 1415->1422 1423 42aa61-42aa67 1421->1423 1424 401298-40129c 1421->1424 1422->1416 1427 42aa8b-42aaa7 Shell_NotifyIconW 1423->1427 1428 42aa69-42aa86 Shell_NotifyIconW 1423->1428 1425 4012a2-4012a8 1424->1425 1426 42aaac-42aab3 1424->1426 1425->1422 1431 42aaf8-42ab15 Shell_NotifyIconW 1425->1431 1429 42aad7-42aaf3 Shell_NotifyIconW 1426->1429 1430 42aab5-42aad2 Shell_NotifyIconW 1426->1430 1427->1422 1428->1422 1429->1422 1430->1422 1431->1422
                                                          APIs
                                                          • _memset.LIBCMT ref: 00401257
                                                            • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                            • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                            • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                            • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                          • KillTimer.USER32(?,?), ref: 004012B0
                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                          • String ID:
                                                          • API String ID: 1792922140-0
                                                          • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                          • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                          • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                          • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                          Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1432 414f10-414f2c 1433 414f4f 1432->1433 1434 414f2e-414f31 1432->1434 1436 414f51-414f55 1433->1436 1434->1433 1435 414f33-414f35 1434->1435 1437 414f37-414f46 call 417f23 1435->1437 1438 414f56-414f5b 1435->1438 1450 414f47-414f4c call 417ebb 1437->1450 1440 414f6a-414f6d 1438->1440 1441 414f5d-414f68 1438->1441 1444 414f7a-414f7c 1440->1444 1445 414f6f-414f77 call 4131f0 1440->1445 1441->1440 1443 414f8b-414f9e 1441->1443 1448 414fa0-414fa6 1443->1448 1449 414fa8 1443->1449 1444->1437 1447 414f7e-414f89 1444->1447 1445->1444 1447->1437 1447->1443 1452 414faf-414fb1 1448->1452 1449->1452 1450->1433 1454 4150a1-4150a4 1452->1454 1455 414fb7-414fbe 1452->1455 1454->1436 1457 414fc0-414fc5 1455->1457 1458 415004-415007 1455->1458 1457->1458 1461 414fc7 1457->1461 1459 415071-415072 call 41e6b1 1458->1459 1460 415009-41500d 1458->1460 1467 415077-41507b 1459->1467 1463 41500f-415018 1460->1463 1464 41502e-415035 1460->1464 1465 415102 1461->1465 1466 414fcd-414fd1 1461->1466 1468 415023-415028 1463->1468 1469 41501a-415021 1463->1469 1471 415037 1464->1471 1472 415039-41503c 1464->1472 1470 415106-41510f 1465->1470 1473 414fd3 1466->1473 1474 414fd5-414fd8 1466->1474 1467->1470 1475 415081-415085 1467->1475 1476 41502a-41502c 1468->1476 1469->1476 1470->1436 1471->1472 1477 415042-41504e call 41453a call 41ed9e 1472->1477 1478 4150d5-4150d9 1472->1478 1473->1474 1479 4150a9-4150af 1474->1479 1480 414fde-414fff call 41ee9b 1474->1480 1475->1478 1483 415087-415096 1475->1483 1476->1472 1500 415053-415058 1477->1500 1481 4150eb-4150fd call 417f23 1478->1481 1482 4150db-4150e8 call 4131f0 1478->1482 1484 4150b1-4150bd call 4131f0 1479->1484 1485 4150c0-4150d0 call 417f23 1479->1485 1491 415099-41509b 1480->1491 1481->1450 1482->1481 1483->1491 1484->1485 1485->1450 1491->1454 1491->1455 1501 415114-415118 1500->1501 1502 41505e-415061 1500->1502 1501->1470 1502->1465 1503 415067-41506f 1502->1503 1503->1491
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                          • String ID:
                                                          • API String ID: 3886058894-0
                                                          • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                          • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                          • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                          • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                          Function 040E0968 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1504 40e0968-40e09ba call 40e0868 CreateFileW 1507 40e09bc-40e09be 1504->1507 1508 40e09c3-40e09d0 1504->1508 1509 40e0b1c-40e0b20 1507->1509 1511 40e09d2-40e09de 1508->1511 1512 40e09e3-40e09fa VirtualAlloc 1508->1512 1511->1509 1513 40e09fc-40e09fe 1512->1513 1514 40e0a03-40e0a29 CreateFileW 1512->1514 1513->1509 1516 40e0a4d-40e0a67 ReadFile 1514->1516 1517 40e0a2b-40e0a48 1514->1517 1518 40e0a8b-40e0a8f 1516->1518 1519 40e0a69-40e0a86 1516->1519 1517->1509 1520 40e0ab0-40e0ac7 WriteFile 1518->1520 1521 40e0a91-40e0aae 1518->1521 1519->1509 1524 40e0ac9-40e0af0 1520->1524 1525 40e0af2-40e0b17 CloseHandle VirtualFree 1520->1525 1521->1509 1524->1509 1525->1509
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 040E09AD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                          • Instruction ID: a2ce9d0b1621377ef607c2e056854fd0d102f787c949f418b02ec5a551cce590
                                                          • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                          • Instruction Fuzzy Hash: 2E510875A50218FFEB60DFA1CC59FEE77B8BF48700F108554F60AEA180DAB4A6449B60
                                                          Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1534 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                          • ShowWindow.USER32(?,00000000), ref: 00410454
                                                          • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                          • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                          • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                          • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                          Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1535 413a88-413a99 call 41718c 1538 413b10-413b15 call 4171d1 1535->1538 1539 413a9b-413aa2 1535->1539 1540 413aa4-413abc call 418407 call 419f6d 1539->1540 1541 413ae7 1539->1541 1553 413ac7-413ad7 call 413ade 1540->1553 1554 413abe-413ac6 call 419f9d 1540->1554 1543 413ae8-413af8 RtlFreeHeap 1541->1543 1543->1538 1546 413afa-413b0f call 417f23 GetLastError call 417ee1 1543->1546 1546->1538 1553->1538 1560 413ad9-413adc 1553->1560 1554->1553 1560->1543
                                                          APIs
                                                          • __lock.LIBCMT ref: 00413AA6
                                                            • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                            • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                            • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                          • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                          • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                          • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                          • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                          • String ID:
                                                          • API String ID: 2714421763-0
                                                          • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                          • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                          • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                          • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                          Function 040E2428 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1561 40e2428-40e2553 call 40e0048 call 40e2318 CreateFileW 1568 40e255a-40e256a 1561->1568 1569 40e2555 1561->1569 1572 40e256c 1568->1572 1573 40e2571-40e258b VirtualAlloc 1568->1573 1570 40e2627-40e262c 1569->1570 1572->1570 1574 40e258d 1573->1574 1575 40e2592-40e25a9 ReadFile 1573->1575 1574->1570 1576 40e25ad-40e25c2 call 40e10b8 1575->1576 1577 40e25ab 1575->1577 1579 40e25c7-40e2601 call 40e2358 call 40e1318 1576->1579 1577->1570 1584 40e261d-40e2625 1579->1584 1585 40e2603-40e2618 call 40e23a8 1579->1585 1584->1570 1585->1584
                                                          APIs
                                                            • Part of subcall function 040E2318: Sleep.KERNELBASE(000001F4), ref: 040E2329
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 040E2549
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateFileSleep
                                                          • String ID: LLX2HD3PAXSG5Y4G
                                                          • API String ID: 2694422964-1513636820
                                                          • Opcode ID: ea9f1c2cba94dcca96377b6f5b958825f4ac0eaaa8b63af0775e62c04716bb3d
                                                          • Instruction ID: 0f82839f11c40db6f5fb36659606a2de65e3374ae9989fa760778ea2c6959293
                                                          • Opcode Fuzzy Hash: ea9f1c2cba94dcca96377b6f5b958825f4ac0eaaa8b63af0775e62c04716bb3d
                                                          • Instruction Fuzzy Hash: 9D516031D14248DAEF11DBB4C814BEEBB79AF49304F004599E658BB2C0DB791B49CBA6
                                                          Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                          • _strcat.LIBCMT ref: 0040F603
                                                            • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                            • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                          • String ID: HH
                                                          • API String ID: 1194219731-2761332787
                                                          • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                          • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                          • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                          • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                          Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                          • __CxxThrowException@8.LIBCMT ref: 00411779
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 1411284514-0
                                                          • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                          • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                          • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                          • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                          Function 040E1048 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 040E108D
                                                          • ExitProcess.KERNEL32(00000000), ref: 040E10AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$CreateExit
                                                          • String ID: D
                                                          • API String ID: 126409537-2746444292
                                                          • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                          • Instruction ID: 1896357ae7ff357954eb0c22f2fe82c03ca50cbbeb670b509e9831d1a1e2d6a9
                                                          • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                          • Instruction Fuzzy Hash: FFF0E17154024CABDB60DFE1CC49FFE777CBF44705F408508BA19AA180DA7495188751
                                                          Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                          • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                          • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                          • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                          Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                          • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                          • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                          • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                          • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                          Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _malloc.LIBCMT ref: 00435278
                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                          • _malloc.LIBCMT ref: 00435288
                                                          • _malloc.LIBCMT ref: 00435298
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _malloc$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 680241177-0
                                                          • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                          • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                          • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                          • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                          Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00401B71
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID: @EXITCODE
                                                          • API String ID: 580348202-3436989551
                                                          • Opcode ID: 48d001a4b96ee351bc7679959485890c1c6d832d60c6cde5ea273d4c8ab31dfe
                                                          • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                                                          • Opcode Fuzzy Hash: 48d001a4b96ee351bc7679959485890c1c6d832d60c6cde5ea273d4c8ab31dfe
                                                          • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                                                          Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: 4e47f038e922e84c19ecab33a0164ae102939a21ade882e67390b57c38244a2e
                                                          • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
                                                          • Opcode Fuzzy Hash: 4e47f038e922e84c19ecab33a0164ae102939a21ade882e67390b57c38244a2e
                                                          • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
                                                          Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                          • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                          • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                          • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                          Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __lock_file_memset
                                                          • String ID:
                                                          • API String ID: 26237723-0
                                                          • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                          • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                          • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                          • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                          Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                          • __lock_file.LIBCMT ref: 00414EE4
                                                            • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                          • __fclose_nolock.LIBCMT ref: 00414EEE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                          • String ID:
                                                          • API String ID: 717694121-0
                                                          • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                          • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                          • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                          • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                          Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Message$DispatchTranslate
                                                          • String ID:
                                                          • API String ID: 1706434739-0
                                                          • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                          • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                                                          • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                          • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                                                          Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Message$DispatchTranslate
                                                          • String ID:
                                                          • API String ID: 1706434739-0
                                                          • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                          • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                                                          • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                          • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                                                          Function 040E10B8 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 040E0928: GetFileAttributesW.KERNELBASE(?), ref: 040E0933
                                                          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 040E121D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AttributesCreateDirectoryFile
                                                          • String ID:
                                                          • API String ID: 3401506121-0
                                                          • Opcode ID: 1b3ff99a5b8f364c42192ccb05325f18a32196dc7235371120fe0911ba88ec73
                                                          • Instruction ID: 9807859cd5acfafa3173825715fb08d9380f373044344cb5d02f6f2425737c43
                                                          • Opcode Fuzzy Hash: 1b3ff99a5b8f364c42192ccb05325f18a32196dc7235371120fe0911ba88ec73
                                                          • Instruction Fuzzy Hash: DD516E31A102089AEF14DFB0D854BEF737AFF58700F00456DE609FB290EA75AA55CBA5
                                                          Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                          Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                          • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                          • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                          • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                          Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ProcWindow
                                                          • String ID:
                                                          • API String ID: 181713994-0
                                                          • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                          • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                          • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                          • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                          Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                          • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                          • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                          • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                          Function 040E0928 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?), ref: 040E0933
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                          • Instruction ID: 52e67eca345aca29b13b21a330651c91cd8a856a8aba6eb2c04e8552d2f7f6b7
                                                          • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                          • Instruction Fuzzy Hash: BCE08631605119DFEB90CEBA8D546BD73A4E705320F004654A719D3180D670AA24D661
                                                          Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                          • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: File$PointerWrite
                                                          • String ID:
                                                          • API String ID: 539440098-0
                                                          • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                          • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                          • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                          • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                          Function 040E08F8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?), ref: 040E0903
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                          • Instruction ID: 19efa6d17cf9008f81ded42b77cfc35e63a416b42d1acdb461871764d42db7c9
                                                          • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                          • Instruction Fuzzy Hash: EFD0A731A0620DEFDB60CFB59D049EE73A8D705320F008755FF15D3280D675AE10A790
                                                          Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ProcWindow
                                                          • String ID:
                                                          • API String ID: 181713994-0
                                                          • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                          • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                          • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                          • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                          Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wfsopen
                                                          • String ID:
                                                          • API String ID: 197181222-0
                                                          • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                          • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                          • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                          • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                          Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                          • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                          • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                          • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                          Function 040E2314 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 040E2329
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                          • Instruction ID: 85e7ee951d4b30220f247ef1304d60383363838717fba2c200c667fc75d42ec2
                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                          • Instruction Fuzzy Hash: 46E0BF7494010DEFDB00EFB4D5496ED7BB4EF04301F1005A5FD05E7690DB309E648A62
                                                          Function 040E2318 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 040E2329
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1729306889.00000000040E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 040E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_40e0000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction ID: f69205a4db710e2d82bb9cf21f0780a90727140203c4210bb59df2819c59b3b3
                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction Fuzzy Hash: 48E0E67494010DDFDB00EFB4D5496AD7BB4EF04301F1005A5FD01E2280DA309D608A62

                                                          Non-executed Functions

                                                          Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                                                          • API String ID: 0-4260964411
                                                          • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                          • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                          • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                          • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                          Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                          • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                          • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                          • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                          • SendMessageW.USER32 ref: 0047C2FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$State$LongProcWindow
                                                          • String ID: @GUI_DRAGID$F
                                                          • API String ID: 1562745308-4164748364
                                                          • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                          • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                          • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                          • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                          Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                          • IsIconic.USER32(?), ref: 004375E1
                                                          • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                          • SetForegroundWindow.USER32(?), ref: 004375FD
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                          • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                          • SetForegroundWindow.USER32(?), ref: 00437645
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                          • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                          • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                          • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                          • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                          • SetForegroundWindow.USER32(?), ref: 004376AD
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 3778422247-2988720461
                                                          • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                          • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                          • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                          • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                          Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0044621B
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                          • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                          • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                          • _wcslen.LIBCMT ref: 0044639E
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • _wcsncpy.LIBCMT ref: 004463C7
                                                          • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                          • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                          • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                          • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                          • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                          • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                          • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                          • String ID: $default$winsta0
                                                          • API String ID: 2173856841-1027155976
                                                          • Opcode ID: dd3fbc5dfca59238d4d8e810ac2ec3cbfbbbad9087bbfadb14fa7de528d26857
                                                          • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                          • Opcode Fuzzy Hash: dd3fbc5dfca59238d4d8e810ac2ec3cbfbbbad9087bbfadb14fa7de528d26857
                                                          • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                          Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CdbVaYf8jC.exe,?,C:\Users\user\Desktop\CdbVaYf8jC.exe,004A8E80,C:\Users\user\Desktop\CdbVaYf8jC.exe,0040F3D2), ref: 0040FFCA
                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                            • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                          • _wcscat.LIBCMT ref: 0044BD96
                                                          • _wcscat.LIBCMT ref: 0044BDBF
                                                          • __wsplitpath.LIBCMT ref: 0044BDEC
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                          • _wcscpy.LIBCMT ref: 0044BE73
                                                          • _wcscat.LIBCMT ref: 0044BE85
                                                          • _wcscat.LIBCMT ref: 0044BE97
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                          • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 2188072990-1173974218
                                                          • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                          • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                          • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                          • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                          Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __invoke_watson.LIBCMT ref: 004203A4
                                                            • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                            • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                            • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                            • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                            • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                            • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                          • __get_daylight.LIBCMT ref: 004203B0
                                                          • __invoke_watson.LIBCMT ref: 004203BF
                                                          • __get_daylight.LIBCMT ref: 004203CB
                                                          • __invoke_watson.LIBCMT ref: 004203DA
                                                          • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                          • _strlen.LIBCMT ref: 00420442
                                                          • __malloc_crt.LIBCMT ref: 00420449
                                                          • _strlen.LIBCMT ref: 0042045F
                                                          • _strcpy_s.LIBCMT ref: 0042046D
                                                          • __invoke_watson.LIBCMT ref: 00420482
                                                          • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                            • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                            • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                            • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                            • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                            • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                          • __invoke_watson.LIBCMT ref: 004205CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                          • String ID: S\
                                                          • API String ID: 4084823496-393906132
                                                          • Opcode ID: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                                          • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                          • Opcode Fuzzy Hash: 9f641836eee9844fdb211255f71e21062b6006d1a88a71a8f5a1c928a585c03b
                                                          • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                          Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                          • __swprintf.LIBCMT ref: 00434D91
                                                          • _wcslen.LIBCMT ref: 00434D9B
                                                          • _wcslen.LIBCMT ref: 00434DB0
                                                          • _wcslen.LIBCMT ref: 00434DC5
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                          • _memset.LIBCMT ref: 00434E27
                                                          • _wcslen.LIBCMT ref: 00434E3C
                                                          • _wcsncpy.LIBCMT ref: 00434E6F
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                          • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                          • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 302090198-3457252023
                                                          • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                          • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                          • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                          • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                          Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                          • GetLastError.KERNEL32 ref: 004644B4
                                                          • GetCurrentThread.KERNEL32 ref: 004644C8
                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 1312810259-2896544425
                                                          • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                          • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                          • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                          • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                          Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                            • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CdbVaYf8jC.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                            • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                          • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\CdbVaYf8jC.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                            • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\CdbVaYf8jC.exe,00000004), ref: 0040D7D6
                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                          • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\CdbVaYf8jC.exe,00000004), ref: 00431B0E
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\CdbVaYf8jC.exe,00000004), ref: 00431B3F
                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                          • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                            • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                            • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                            • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                            • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                            • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                            • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                          • String ID: @GH$@GH$C:\Users\user\Desktop\CdbVaYf8jC.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                          • API String ID: 2493088469-592853888
                                                          • Opcode ID: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                                                          • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                          • Opcode Fuzzy Hash: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                                                          • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                          Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                          • __wsplitpath.LIBCMT ref: 004038B2
                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                          • _wcscpy.LIBCMT ref: 004038C7
                                                          • _wcscat.LIBCMT ref: 004038DC
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                          • _wcscpy.LIBCMT ref: 004039C2
                                                          • _wcslen.LIBCMT ref: 00403A53
                                                          • _wcslen.LIBCMT ref: 00403AAA
                                                          Strings
                                                          • Error opening the file, xrefs: 0042B8AC
                                                          • Unterminated string, xrefs: 0042B9BA
                                                          • _, xrefs: 00403B48
                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                          • API String ID: 4115725249-188983378
                                                          • Opcode ID: 9d3cc106af837a0ba3a302398e1680714f0cc5ac52ed53ec90940b3ab90f08f5
                                                          • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                          • Opcode Fuzzy Hash: 9d3cc106af837a0ba3a302398e1680714f0cc5ac52ed53ec90940b3ab90f08f5
                                                          • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                          Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                          • FindClose.KERNEL32(00000000), ref: 00434C88
                                                          • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                          • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                          • FindClose.KERNEL32(00000000), ref: 00434D35
                                                          • FindClose.KERNEL32(00000000), ref: 00434D43
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1409584000-438819550
                                                          • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                          • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                          • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                          • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                          Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Timetime$Sleep
                                                          • String ID: BUTTON
                                                          • API String ID: 4176159691-3405671355
                                                          • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                          • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                          • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                          • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                          Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,74DE8FB0,74DE8FB0,?,?,00000000), ref: 00442E40
                                                          • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                          • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                          • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                          • FindClose.KERNEL32(00000000), ref: 00442F80
                                                            • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                          • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 2640511053-438819550
                                                          • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                          • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                          • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                          • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                          Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                            • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                            • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                          • _memset.LIBCMT ref: 00445E61
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                          • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                          • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                          • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                          • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                          • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                          • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3490752873-0
                                                          • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                          • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                          • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                          • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                          Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                          • _memset.LIBCMT ref: 0047AB7C
                                                          • _wcslen.LIBCMT ref: 0047AC68
                                                          • _memset.LIBCMT ref: 0047ACCD
                                                          • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                          • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                          Strings
                                                          • NULL Pointer assignment, xrefs: 0047AD84
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 1588287285-2785691316
                                                          • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                          • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                          • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                          • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                          Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                          • GetLastError.KERNEL32 ref: 00436504
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 2938487562-3733053543
                                                          • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                          • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                          • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                          • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                          Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __swprintf.LIBCMT ref: 00436162
                                                          • __swprintf.LIBCMT ref: 00436176
                                                            • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                          • __wcsicoll.LIBCMT ref: 00436185
                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                          • LockResource.KERNEL32(00000000), ref: 004361B5
                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                          • LockResource.KERNEL32(?), ref: 004361FD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                          • String ID:
                                                          • API String ID: 2406429042-0
                                                          • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                          • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                          • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                          • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                          Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                          • GetLastError.KERNEL32 ref: 0045D59D
                                                          • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                          • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                          • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                          • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                          Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                          • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • _wcslen.LIBCMT ref: 0047AE18
                                                          • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                          • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                          • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                          • String ID: HH
                                                          • API String ID: 1915432386-2761332787
                                                          • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                          • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                          • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                          • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                          Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DEFINE$`$h$h
                                                          • API String ID: 0-4194577831
                                                          • Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                          • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                          • Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                          • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                          Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                          • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                                                          • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$bindclosesocketsocket
                                                          • String ID:
                                                          • API String ID: 2609815416-0
                                                          • Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                          • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                          • Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                          • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                          Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                          • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                          • __wsplitpath.LIBCMT ref: 004370A5
                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                          • _wcscat.LIBCMT ref: 004370BA
                                                          • __wcsicoll.LIBCMT ref: 004370C8
                                                          • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                          • String ID:
                                                          • API String ID: 2547909840-0
                                                          • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                          • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                          • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                          • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                          Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                          • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                          • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                          • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                          • String ID: *.*
                                                          • API String ID: 2693929171-438819550
                                                          • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                          • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                          • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                          • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                          Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __wcsicoll.LIBCMT ref: 0043643C
                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                          • __wcsicoll.LIBCMT ref: 00436466
                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicollmouse_event
                                                          • String ID: DOWN
                                                          • API String ID: 1033544147-711622031
                                                          • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                          • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                          • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                          • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                          Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 4170576061-0
                                                          • Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                          • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                          • Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                          • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                          Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                          • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                          • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                          • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                          • String ID:
                                                          • API String ID: 3539004672-0
                                                          • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                          • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                          • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                          • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                          Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                          • IsWindowVisible.USER32 ref: 00477314
                                                          • IsWindowEnabled.USER32 ref: 00477324
                                                          • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                          • IsIconic.USER32 ref: 0047733F
                                                          • IsZoomed.USER32 ref: 0047734D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                          • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                          • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                          • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                          Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                          • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleTime
                                                          • String ID:
                                                          • API String ID: 3397143404-0
                                                          • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                          • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                          • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                          • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                          Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _strncmp
                                                          • String ID: ACCEPT$^$h
                                                          • API String ID: 909875538-4263704089
                                                          • Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                          • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                          • Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                          • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                          Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                          • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                          • Opcode Fuzzy Hash: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                          • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                          Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                          • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                          • FindClose.KERNEL32(00000000), ref: 00436B13
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirst
                                                          • String ID:
                                                          • API String ID: 48322524-0
                                                          • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                          • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                          • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                          • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                          Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __time64.LIBCMT ref: 004433A2
                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                          • String ID: rJ
                                                          • API String ID: 2893107130-1865492326
                                                          • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                          • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                          • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                          • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                          Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __time64.LIBCMT ref: 004433A2
                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                          • String ID: rJ
                                                          • API String ID: 2893107130-1865492326
                                                          • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                          • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                          • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                          • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                          Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                          • String ID:
                                                          • API String ID: 901099227-0
                                                          • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                          • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                          • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                          • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                          Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                          • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                          • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                          • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                          • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                          Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0vH$HH
                                                          • API String ID: 0-728391547
                                                          • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                          • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                          • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                          • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                          Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _memset
                                                          • String ID:
                                                          • API String ID: 2102423945-0
                                                          • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                          • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                          • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                          • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                          Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Proc
                                                          • String ID:
                                                          • API String ID: 2346855178-0
                                                          • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                          • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                          • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                          • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                          Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 0045A272
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                          • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                          • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                          • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                          Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: LogonUser
                                                          • String ID:
                                                          • API String ID: 1244722697-0
                                                          • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                          • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                          • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                          • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                          Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                          • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                          • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                          • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                          Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                          • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                          • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                          • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                          Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                          • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                          • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                          • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                          Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                          • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                          • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                          • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                          Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                          • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                          • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                          • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                          Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                          • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                          • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                          • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                          Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                          • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                          • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                          • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                          Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(?), ref: 004593D7
                                                          • DeleteObject.GDI32(?), ref: 004593F1
                                                          • DestroyWindow.USER32(?), ref: 00459407
                                                          • GetDesktopWindow.USER32 ref: 0045942A
                                                          • GetWindowRect.USER32(00000000), ref: 00459431
                                                          • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                          • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                          • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                          • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                          • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                          • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                          • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                          • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                          • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                          • GetStockObject.GDI32(00000011), ref: 004597B7
                                                          • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                          • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                          • DeleteDC.GDI32(00000000), ref: 004597E1
                                                          • _wcslen.LIBCMT ref: 00459800
                                                          • _wcscpy.LIBCMT ref: 0045981F
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                          • GetDC.USER32(?), ref: 004598DE
                                                          • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                          • SelectObject.GDI32(00000000,?), ref: 00459919
                                                          • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                          • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                          • API String ID: 4040870279-2373415609
                                                          • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                          • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                          • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                          • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                          Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 00441E64
                                                          • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                          • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                          • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                          • SelectObject.GDI32(?,?), ref: 00441EBA
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                          • GetSysColor.USER32(00000010), ref: 00441EF8
                                                          • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                          • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                          • DeleteObject.GDI32(?), ref: 00441F1B
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                          • FillRect.USER32(?,?,?), ref: 00441FB6
                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                            • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                            • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                            • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                            • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                            • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                            • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                            • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                            • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                          • String ID:
                                                          • API String ID: 69173610-0
                                                          • Opcode ID: 63a2be33accb074b4178bb2d7a96f271ea41f5903b36f57aa3a0bb7ff7b8698e
                                                          • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                          • Opcode Fuzzy Hash: 63a2be33accb074b4178bb2d7a96f271ea41f5903b36f57aa3a0bb7ff7b8698e
                                                          • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                          Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 1038674560-3360698832
                                                          • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                          • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                          • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                          • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                          Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(0000000E), ref: 00433D81
                                                          • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                          • GetSysColor.USER32(00000012), ref: 00433DA3
                                                          • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                          • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                          • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                          • GetSysColor.USER32(00000011), ref: 00433DEB
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                          • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                          • SetBkColor.GDI32(?,?), ref: 00433E19
                                                          • SelectObject.GDI32(?,?), ref: 00433E29
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                          • GetWindowLongW.USER32 ref: 00433E8A
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                          • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                          • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                          • GetSysColor.USER32(00000011), ref: 00433F2E
                                                          • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                          • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                          • SelectObject.GDI32(?,?), ref: 00433F63
                                                          • DeleteObject.GDI32(?), ref: 00433F70
                                                          • SelectObject.GDI32(?,?), ref: 00433F78
                                                          • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                          • SetTextColor.GDI32(?,?), ref: 00433F83
                                                          • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1582027408-0
                                                          • Opcode ID: e151e7129dedd9b649cf5279759d6c8ca4f2d2edd5ec07a1e2c3294b07796789
                                                          • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                          • Opcode Fuzzy Hash: e151e7129dedd9b649cf5279759d6c8ca4f2d2edd5ec07a1e2c3294b07796789
                                                          • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                          Function 0046AEAF Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 417registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AFC2
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,004848E8,00000000,?,00000000,?,?,?,?,?), ref: 0046B01C
                                                          • RegCloseKey.ADVAPI32(?), ref: 0046B069
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseConnectCreateRegistry
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 3217815495-966354055
                                                          • Opcode ID: 7e7fad9cf22916ff3a09238387be431628318f125f1ed8133e311fd7904dbe40
                                                          • Instruction ID: d9d2404220d166b11353d33fb52652cf6d28829cdaa3b272cf204d1a2c990fb8
                                                          • Opcode Fuzzy Hash: 7e7fad9cf22916ff3a09238387be431628318f125f1ed8133e311fd7904dbe40
                                                          • Instruction Fuzzy Hash: 2CE1A1B1600300ABD710EF65C885F1BB7E8AF48704F14895EB945DB392D778E945CBAA
                                                          Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00456692
                                                          • GetDesktopWindow.USER32 ref: 004566AA
                                                          • GetWindowRect.USER32(00000000), ref: 004566B1
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                          • DestroyWindow.USER32(?), ref: 00456731
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                          • IsWindowVisible.USER32(?), ref: 00456812
                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                          • GetWindowRect.USER32(?,?), ref: 0045685C
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                          • GetMonitorInfoW.USER32 ref: 00456894
                                                          • CopyRect.USER32(?,?), ref: 004568A8
                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                          • String ID: ($,$tooltips_class32
                                                          • API String ID: 541082891-3320066284
                                                          • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                          • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                          • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                          • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                          Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00454DCF
                                                          • _wcslen.LIBCMT ref: 00454DE2
                                                          • __wcsicoll.LIBCMT ref: 00454DEF
                                                          • _wcslen.LIBCMT ref: 00454E04
                                                          • __wcsicoll.LIBCMT ref: 00454E11
                                                          • _wcslen.LIBCMT ref: 00454E24
                                                          • __wcsicoll.LIBCMT ref: 00454E31
                                                            • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                          • DestroyIcon.USER32(?), ref: 00454FA2
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                          • String ID: .dll$.exe$.icl
                                                          • API String ID: 2511167534-1154884017
                                                          • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                          • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                          • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                          • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                          Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                          • _wcslen.LIBCMT ref: 00436B79
                                                          • _wcscpy.LIBCMT ref: 00436B9F
                                                          • _wcscat.LIBCMT ref: 00436BC0
                                                          • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                          • _wcscat.LIBCMT ref: 00436C2A
                                                          • _wcscat.LIBCMT ref: 00436C31
                                                          • __wcsicoll.LIBCMT ref: 00436C4B
                                                          • _wcsncpy.LIBCMT ref: 00436C62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 1503153545-1459072770
                                                          • Opcode ID: 8f115a8dcca366765dccafad874a9911a33c709b0333e454bef2361e27f7839d
                                                          • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                          • Opcode Fuzzy Hash: 8f115a8dcca366765dccafad874a9911a33c709b0333e454bef2361e27f7839d
                                                          • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                          Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                          • _fseek.LIBCMT ref: 004527FC
                                                          • __wsplitpath.LIBCMT ref: 0045285C
                                                          • _wcscpy.LIBCMT ref: 00452871
                                                          • _wcscat.LIBCMT ref: 00452886
                                                          • __wsplitpath.LIBCMT ref: 004528B0
                                                          • _wcscat.LIBCMT ref: 004528C8
                                                          • _wcscat.LIBCMT ref: 004528DD
                                                          • __fread_nolock.LIBCMT ref: 00452914
                                                          • __fread_nolock.LIBCMT ref: 00452925
                                                          • __fread_nolock.LIBCMT ref: 00452944
                                                          • __fread_nolock.LIBCMT ref: 00452955
                                                          • __fread_nolock.LIBCMT ref: 00452976
                                                          • __fread_nolock.LIBCMT ref: 00452987
                                                          • __fread_nolock.LIBCMT ref: 00452998
                                                          • __fread_nolock.LIBCMT ref: 004529A9
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                          • __fread_nolock.LIBCMT ref: 00452A39
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                          • String ID:
                                                          • API String ID: 2054058615-0
                                                          • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                          • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                          • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                          • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                          Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 3341d5ccd3f52121a0b9d5f5b9edb9a4c3413db68c9c5c7597b80800bbf161ae
                                                          • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                          • Opcode Fuzzy Hash: 3341d5ccd3f52121a0b9d5f5b9edb9a4c3413db68c9c5c7597b80800bbf161ae
                                                          • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                          Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • GetWindowRect.USER32(?,?), ref: 004701EA
                                                          • GetClientRect.USER32(?,?), ref: 004701FA
                                                          • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                          • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                          • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                          • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                          • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                          • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                          • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                          • GetClientRect.USER32(?,?), ref: 00470371
                                                          • GetStockObject.GDI32(00000011), ref: 00470391
                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                          • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 867697134-248962490
                                                          • Opcode ID: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                          • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                          • Opcode Fuzzy Hash: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                          • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                          Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window
                                                          • String ID: 0
                                                          • API String ID: 2353593579-4108050209
                                                          • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                          • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                          • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                          • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                          Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32 ref: 0044A11D
                                                          • GetClientRect.USER32(?,?), ref: 0044A18D
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                          • GetWindowDC.USER32(?), ref: 0044A1B3
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                          • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                          • GetSysColor.USER32(0000000F), ref: 0044A216
                                                          • GetSysColor.USER32(00000005), ref: 0044A21E
                                                          • GetWindowDC.USER32 ref: 0044A277
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                          • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                          • GetStockObject.GDI32(00000005), ref: 0044A312
                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                          • String ID:
                                                          • API String ID: 1744303182-0
                                                          • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                          • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                          • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                          • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                          Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll$__wcsnicmp
                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                          • API String ID: 790654849-1810252412
                                                          • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                          • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                          • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                          • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                          Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: InitVariant
                                                          • String ID:
                                                          • API String ID: 1927566239-0
                                                          • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                          • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                          • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                          • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                          Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                          • GetForegroundWindow.USER32 ref: 0046DBA4
                                                          • IsWindow.USER32(?), ref: 0046DBDE
                                                          • GetDesktopWindow.USER32 ref: 0046DCB5
                                                          • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                          • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                          • API String ID: 1322021666-1919597938
                                                          • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                          • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                          • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                          • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                          Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                          • _wcsncpy.LIBCMT ref: 0045DF0F
                                                          • __wsplitpath.LIBCMT ref: 0045DF54
                                                          • _wcscat.LIBCMT ref: 0045DF6C
                                                          • _wcscat.LIBCMT ref: 0045DF7E
                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                          • _wcscpy.LIBCMT ref: 0045E019
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                          • String ID: *.*
                                                          • API String ID: 3201719729-438819550
                                                          • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                          • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                          • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                          • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                          Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll$IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2485277191-404129466
                                                          • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                          • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                          • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                          • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                          Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                          • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                          • strncnt.LIBCMT ref: 00428646
                                                          • strncnt.LIBCMT ref: 0042865A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: strncnt$CompareErrorLastString
                                                          • String ID:
                                                          • API String ID: 1776594460-0
                                                          • Opcode ID: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                                          • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                          • Opcode Fuzzy Hash: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
                                                          • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                          Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                          • SetWindowTextW.USER32(?,?), ref: 00454606
                                                          • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                          • GetWindowRect.USER32(?,?), ref: 00454688
                                                          • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                          • GetDesktopWindow.USER32 ref: 00454708
                                                          • GetWindowRect.USER32(00000000), ref: 0045470F
                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                          • GetClientRect.USER32(?,?), ref: 0045476F
                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                          • String ID:
                                                          • API String ID: 3869813825-0
                                                          • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                          • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                          • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                          • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                          Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                          • GetCursorInfo.USER32 ref: 00458E03
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load$Info
                                                          • String ID:
                                                          • API String ID: 2577412497-0
                                                          • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                          • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                          • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                          • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                          Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                          • GetFocus.USER32 ref: 004696E0
                                                          • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$CtrlFocus
                                                          • String ID: 0
                                                          • API String ID: 1534620443-4108050209
                                                          • Opcode ID: 833d13db40ec40dec0483232b6284f8533ca83f9805c84b893a2fb0fb577edd9
                                                          • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                          • Opcode Fuzzy Hash: 833d13db40ec40dec0483232b6284f8533ca83f9805c84b893a2fb0fb577edd9
                                                          • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                          Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00468107
                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                          • GetMenuItemCount.USER32(?), ref: 00468227
                                                          • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                          • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                          • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                          • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                          • GetMenuItemCount.USER32 ref: 004682DC
                                                          • SetMenuItemInfoW.USER32 ref: 00468317
                                                          • GetCursorPos.USER32(00000000), ref: 00468322
                                                          • SetForegroundWindow.USER32(?), ref: 0046832D
                                                          • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                          • String ID: 0
                                                          • API String ID: 3993528054-4108050209
                                                          • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                          • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                          • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                          • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                          Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                            • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                            • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                            • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                          • SendMessageW.USER32(?), ref: 0046F34C
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                          • _wcscat.LIBCMT ref: 0046F3BC
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                          • DragFinish.SHELL32(?), ref: 0046F414
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                          • API String ID: 4085615965-3440237614
                                                          • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                          • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                          • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                          • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                          Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll
                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                          • API String ID: 3832890014-4202584635
                                                          • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                          • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                          • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                          • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                          Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 004669C4
                                                          • _wcsncpy.LIBCMT ref: 00466A21
                                                          • _wcsncpy.LIBCMT ref: 00466A4D
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • _wcstok.LIBCMT ref: 00466A90
                                                            • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                          • _wcstok.LIBCMT ref: 00466B3F
                                                          • _wcscpy.LIBCMT ref: 00466BC8
                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                          • _wcslen.LIBCMT ref: 00466D1D
                                                          • _memset.LIBCMT ref: 00466BEE
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • _wcslen.LIBCMT ref: 00466D4B
                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                          • String ID: X$HH
                                                          • API String ID: 3021350936-1944015008
                                                          • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                          • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                          • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                          • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                          Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0045F4AE
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                          • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu$Sleep_memset
                                                          • String ID: 0
                                                          • API String ID: 1504565804-4108050209
                                                          • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                          • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                          • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                          • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                          Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateDestroy
                                                          • String ID: ,$tooltips_class32
                                                          • API String ID: 1109047481-3856767331
                                                          • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                          • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                          • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                          • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                          Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcsncpy.LIBCMT ref: 0045CCFA
                                                          • __wsplitpath.LIBCMT ref: 0045CD3C
                                                          • _wcscat.LIBCMT ref: 0045CD51
                                                          • _wcscat.LIBCMT ref: 0045CD63
                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                          • _wcscpy.LIBCMT ref: 0045CE14
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                          • String ID: *.*
                                                          • API String ID: 1153243558-438819550
                                                          • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                          • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                          • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                          • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                          Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00455127
                                                          • GetMenuItemInfoW.USER32 ref: 00455146
                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                          • GetMenuItemCount.USER32(?), ref: 004551D9
                                                          • SetMenu.USER32(?,00000000), ref: 004551E7
                                                          • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                          • DrawMenuBar.USER32 ref: 00455207
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                          • String ID: 0
                                                          • API String ID: 1663942905-4108050209
                                                          • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                          • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                          • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                          • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                          Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 1481289235-0
                                                          • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                          • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                          • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                          • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                          Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                          • SendMessageW.USER32 ref: 0046FBAF
                                                          • SendMessageW.USER32 ref: 0046FBE2
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                          • SendMessageW.USER32 ref: 0046FD00
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                          • String ID:
                                                          • API String ID: 2632138820-0
                                                          • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                          • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                          • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                          • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                          Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                          • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CursorLoad
                                                          • String ID:
                                                          • API String ID: 3238433803-0
                                                          • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                          • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                          • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                          • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                          Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                          • _wcslen.LIBCMT ref: 00460B00
                                                          • __swprintf.LIBCMT ref: 00460B9E
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                          • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                          • GetWindowRect.USER32(?,?), ref: 00460D21
                                                          • GetParent.USER32(?), ref: 00460D40
                                                          • ScreenToClient.USER32(00000000), ref: 00460D47
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                          • String ID: %s%u
                                                          • API String ID: 1899580136-679674701
                                                          • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                          • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                          • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                          • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                          Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                          • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                          • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                          • API String ID: 2485709727-934586222
                                                          • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                          • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                          • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                          • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                          Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                          • String ID: HH
                                                          • API String ID: 3381189665-2761332787
                                                          • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                          • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                          • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                          • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                          Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00434585
                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                          • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                          • String ID: (
                                                          • API String ID: 3300687185-3887548279
                                                          • Opcode ID: 850e4e4f4a3144c0c65e94ebd0f1e451ef245c66964f5ba666016bedf541cb72
                                                          • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                          • Opcode Fuzzy Hash: 850e4e4f4a3144c0c65e94ebd0f1e451ef245c66964f5ba666016bedf541cb72
                                                          • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                          Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                          • __swprintf.LIBCMT ref: 0045E4D9
                                                          • _printf.LIBCMT ref: 0045E595
                                                          • _printf.LIBCMT ref: 0045E5B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                          • API String ID: 3590180749-2894483878
                                                          • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                          • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                          • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                          • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                          Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                          • DeleteObject.GDI32(?), ref: 0046F950
                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                          • DeleteObject.GDI32(?), ref: 0046F9CF
                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                          • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                          • DestroyIcon.USER32(?), ref: 0046FA4F
                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                          • DeleteObject.GDI32(?), ref: 0046FA68
                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                          • String ID:
                                                          • API String ID: 3412594756-0
                                                          • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                          • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                          • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                          • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                          Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                          • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                          • API String ID: 4013263488-4113822522
                                                          • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                          • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                          • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                          • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                          Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                          • String ID:
                                                          • API String ID: 228034949-0
                                                          • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                          • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                          • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                          • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                          Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                          • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                          • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                          • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                          • DeleteObject.GDI32(?), ref: 00433603
                                                          • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3969911579-0
                                                          • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                          • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                          • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                          • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                          Function 0045EEFF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EF6C
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EF81
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EF94
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EFAB
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EFB8
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EFD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: SendString$_wcslen
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2420728520-1007645807
                                                          • Opcode ID: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                                                          • Instruction ID: e5e6e3524f15ee9b53aa238c1547bf14c0af5fa70a1fb0ad50a0449216793e57
                                                          • Opcode Fuzzy Hash: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                                                          • Instruction Fuzzy Hash: F321A53164830476E220FB51DC87F9E7798AB84B14F200D3BBA407A0D1DBA8E94CC76E
                                                          Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32 ref: 00445A8D
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                          • __wcsicoll.LIBCMT ref: 00445AC4
                                                          • __wcsicoll.LIBCMT ref: 00445AE0
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 3125838495-3381328864
                                                          • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                          • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                          • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                          • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                          Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CopyVariant$ErrorLast
                                                          • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                          • API String ID: 2286883814-4206948668
                                                          • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                          • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                          • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                          • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                          Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                          • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                          • _wcscpy.LIBCMT ref: 00475F18
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                          • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                          • API String ID: 3052893215-4176887700
                                                          • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                          • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                          • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                          • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                          Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                          • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                          • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                          • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                          • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                            • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                          • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                          • String ID: Version$\TypeLib$interface\
                                                          • API String ID: 656856066-939221531
                                                          • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                          • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                          • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                          • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                          Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                          • __swprintf.LIBCMT ref: 0045E6EE
                                                          • _printf.LIBCMT ref: 0045E7A9
                                                          • _printf.LIBCMT ref: 0045E7D2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 3590180749-2354261254
                                                          • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                          • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                          • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                          • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                          Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __swprintf_wcscpy$__i64tow__itow
                                                          • String ID: %.15g$0x%p$False$True
                                                          • API String ID: 3038501623-2263619337
                                                          • Opcode ID: 7e05bcd9e2404d5900448c0fd088cae6e51159eb800a8f0db5a010da26838fc3
                                                          • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                          • Opcode Fuzzy Hash: 7e05bcd9e2404d5900448c0fd088cae6e51159eb800a8f0db5a010da26838fc3
                                                          • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                          Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • _memset.LIBCMT ref: 00458194
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                          • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 2255324689-22481851
                                                          • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                          • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                          • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                          • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                          Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                          • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                          • __wcsicoll.LIBCMT ref: 004585D6
                                                          • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                          • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                          • String ID: ($interface$interface\
                                                          • API String ID: 2231185022-3327702407
                                                          • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                          • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                          • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                          • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                          Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                                                          • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                                                          • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                                                          • _wcscpy.LIBCMT ref: 004365F5
                                                          • WSACleanup.WSOCK32 ref: 004365FD
                                                          • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                                                          • _strcat.LIBCMT ref: 0043662F
                                                          • _wcscpy.LIBCMT ref: 00436644
                                                          • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                                                          • _wcscpy.LIBCMT ref: 00436666
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                          • String ID: 0.0.0.0
                                                          • API String ID: 2691793716-3771769585
                                                          • Opcode ID: 4b0b642d101985f70d6cdd6c7558d2647848e1b39832a20c11015ca7ea879481
                                                          • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                          • Opcode Fuzzy Hash: 4b0b642d101985f70d6cdd6c7558d2647848e1b39832a20c11015ca7ea879481
                                                          • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                          Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                          • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                            • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                            • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                          • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                          • __lock.LIBCMT ref: 00416B8A
                                                          • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                          • __lock.LIBCMT ref: 00416BAB
                                                          • ___addlocaleref.LIBCMT ref: 00416BC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                          • API String ID: 1028249917-2843748187
                                                          • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                          • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                          • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                          • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                          Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                          • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                          • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                          • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                          • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CharNext
                                                          • String ID:
                                                          • API String ID: 1350042424-0
                                                          • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                          • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                          • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                          • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                          Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                          • SetKeyboardState.USER32(?), ref: 00453C5A
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                          • GetKeyState.USER32(000000A0), ref: 00453C99
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                          • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                          • GetKeyState.USER32(00000011), ref: 00453D15
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                          • GetKeyState.USER32(00000012), ref: 00453D4D
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                          • GetKeyState.USER32(0000005B), ref: 00453D85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                          • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                          • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                          • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                          Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                          • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                          • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                          • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                          • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                          • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                          • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                          • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                          • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                          • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                          Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                          • String ID:
                                                          • API String ID: 136442275-0
                                                          • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                          • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                          • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                          • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                          Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ConnectRegistry_wcslen
                                                          • String ID: HH
                                                          • API String ID: 535477410-2761332787
                                                          • Opcode ID: dd977f09bea9308b610c7238e96fb584538275b520f46e9374bb1ad9d3878166
                                                          • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                          • Opcode Fuzzy Hash: dd977f09bea9308b610c7238e96fb584538275b520f46e9374bb1ad9d3878166
                                                          • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                          Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                          • _wcslen.LIBCMT ref: 00460502
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                          • GetWindowRect.USER32(?,?), ref: 004606AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                          • String ID: ThumbnailClass
                                                          • API String ID: 4123061591-1241985126
                                                          • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                          • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                          • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                          • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                          Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                            • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                          • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                          • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                          • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                          • ReleaseCapture.USER32 ref: 0046F589
                                                          • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                          • API String ID: 2483343779-2060113733
                                                          • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                          • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                          • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                          • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                          Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                          • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                          • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                          • DestroyIcon.USER32(?), ref: 0046FFCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                          • String ID: 2
                                                          • API String ID: 1331449709-450215437
                                                          • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                          • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                          • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                          • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                          Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DestroyWindow
                                                          • String ID: static
                                                          • API String ID: 3375834691-2160076837
                                                          • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                          • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                          • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                          • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                          Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                          • _memcmp.LIBCMT ref: 004394A9
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                          Strings
                                                          • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                          • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                          • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                          • API String ID: 1446985595-805462909
                                                          • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                          • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                          • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                          • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                          Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                          • API String ID: 2907320926-41864084
                                                          • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                          • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                          • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                          • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                          Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                          • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID:
                                                          • API String ID: 1932665248-0
                                                          • Opcode ID: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                          • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                          • Opcode Fuzzy Hash: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                          • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                          Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                          • _memset.LIBCMT ref: 004481BA
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                          • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow_memset
                                                          • String ID:
                                                          • API String ID: 830647256-0
                                                          • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                          • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                          • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                          • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                          Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                          • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                          • DeleteObject.GDI32(00650000), ref: 0046EB4F
                                                          • DestroyIcon.USER32(00730072), ref: 0046EB67
                                                          • DeleteObject.GDI32(490B4406), ref: 0046EB7F
                                                          • DestroyWindow.USER32(00540000), ref: 0046EB97
                                                          • DestroyIcon.USER32(?), ref: 0046EBBF
                                                          • DestroyIcon.USER32(?), ref: 0046EBCD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                          • String ID:
                                                          • API String ID: 802431696-0
                                                          • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                          • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                          • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                          • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                          Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                          • GetKeyState.USER32(000000A0), ref: 00444E26
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                          • GetKeyState.USER32(000000A1), ref: 00444E51
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                          • GetKeyState.USER32(00000011), ref: 00444E77
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                          • GetKeyState.USER32(00000012), ref: 00444E9D
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                          • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                          • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                          • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                          • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                          Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                          • _wcslen.LIBCMT ref: 00450944
                                                          • _wcscat.LIBCMT ref: 00450955
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                          • String ID: -----$SysListView32
                                                          • API String ID: 4008455318-3975388722
                                                          • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                          • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                          • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                          • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                          Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00448625
                                                          • CreateMenu.USER32 ref: 0044863C
                                                          • SetMenu.USER32(?,00000000), ref: 0044864C
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                          • IsMenu.USER32(?), ref: 004486EB
                                                          • CreatePopupMenu.USER32 ref: 004486F5
                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                          • DrawMenuBar.USER32 ref: 00448742
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                          • String ID: 0
                                                          • API String ID: 176399719-4108050209
                                                          • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                          • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                          • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                          • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                          Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                          • GetParent.USER32 ref: 004692A4
                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                          • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                          • GetParent.USER32 ref: 004692C7
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 2040099840-1403004172
                                                          • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                          • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                          • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                          • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                          Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                          • GetParent.USER32 ref: 0046949E
                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                          • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                          • GetParent.USER32 ref: 004694C1
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 2040099840-1403004172
                                                          • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                          • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                          • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                          • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                          Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                          • SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
                                                          • SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E
                                                            • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                          • String ID:
                                                          • API String ID: 3771399671-0
                                                          • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                          • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                          • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                          • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                          Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                          • String ID:
                                                          • API String ID: 3413494760-0
                                                          • Opcode ID: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                          • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                          • Opcode Fuzzy Hash: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                          • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                          Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                          • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                          • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                          • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                          • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                          Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll
                                                          • String ID: 0%d$DOWN$OFF
                                                          • API String ID: 3832890014-468733193
                                                          • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                          • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                          • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                          • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                          Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                          • VariantClear.OLEAUT32 ref: 0045E970
                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                          • __swprintf.LIBCMT ref: 0045EB1F
                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                          Strings
                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                          • API String ID: 43541914-1568723262
                                                          • Opcode ID: 37b26c3e130c1a31af09048bf95897f87bf3bde4777f47a21ee6b10bd43e23e8
                                                          • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                          • Opcode Fuzzy Hash: 37b26c3e130c1a31af09048bf95897f87bf3bde4777f47a21ee6b10bd43e23e8
                                                          • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                          Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                          • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DecrementInterlocked$Sleep
                                                          • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                          • API String ID: 2250217261-3412429629
                                                          • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                          • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                          • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                          • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                          Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 0-1603158881
                                                          • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                          • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                          • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                          • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                          Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00479D1F
                                                          • VariantInit.OLEAUT32(?), ref: 00479F06
                                                          • VariantClear.OLEAUT32(?), ref: 00479F11
                                                          • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                            • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                            • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                            • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                          • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                          • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 665237470-60002521
                                                          • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                          • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                          • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                          • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                          Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ConnectRegistry_wcslen
                                                          • String ID: HH
                                                          • API String ID: 535477410-2761332787
                                                          • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                          • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                          • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                          • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                          Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0045F317
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                          • IsMenu.USER32(?), ref: 0045F380
                                                          • CreatePopupMenu.USER32 ref: 0045F3C5
                                                          • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                          • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                          • String ID: 0$2
                                                          • API String ID: 3311875123-3793063076
                                                          • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                          • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                          • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                          • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                          Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\CdbVaYf8jC.exe), ref: 0043719E
                                                          • LoadStringW.USER32(00000000), ref: 004371A7
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                          • LoadStringW.USER32(00000000), ref: 004371C0
                                                          • _printf.LIBCMT ref: 004371EC
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                          • C:\Users\user\Desktop\CdbVaYf8jC.exe, xrefs: 00437189
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_printf
                                                          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\CdbVaYf8jC.exe
                                                          • API String ID: 220974073-4142761693
                                                          • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                          • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                          • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                          • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                          Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                          • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                          • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                          • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                          Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CdbVaYf8jC.exe,?,C:\Users\user\Desktop\CdbVaYf8jC.exe,004A8E80,C:\Users\user\Desktop\CdbVaYf8jC.exe,0040F3D2), ref: 0040FFCA
                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                          • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                          • String ID:
                                                          • API String ID: 978794511-0
                                                          • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                          • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                          • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                          • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                          Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                          • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                          • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                          • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                          Function 00455EF5 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00455F01
                                                          • _memset.LIBCMT ref: 00455F12
                                                          • SendMessageW.USER32 ref: 00455F43
                                                          • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00455F82
                                                          • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00455FF5
                                                          • _wcslen.LIBCMT ref: 00455FFC
                                                          • _wcslen.LIBCMT ref: 00456018
                                                          • CharNextW.USER32(00000000,?,?,?), ref: 00456034
                                                          • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00456060
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen$CharLongNextWindow_memset
                                                          • String ID:
                                                          • API String ID: 2321321212-0
                                                          • Opcode ID: 9fe44bf13dfe9639860e83451fa7f42e7831dc5b74bf465a4309150460e9ba2c
                                                          • Instruction ID: 728fd5b54b682decfcd50b06f9b7fb359c8698431e162ed45c662fcf507213b6
                                                          • Opcode Fuzzy Hash: 9fe44bf13dfe9639860e83451fa7f42e7831dc5b74bf465a4309150460e9ba2c
                                                          • Instruction Fuzzy Hash: 5D41D172204241ABE3108F68DC45BABB7E4FB84321F004A2EF954D72D1E7B9904A8B66
                                                          Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                            • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                            • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                          • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                          • Sleep.KERNEL32(00000000), ref: 00445D70
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                          • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                          • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                          • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                          Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressProc_malloc$_strcat_strlen
                                                          • String ID: AU3_FreeVar
                                                          • API String ID: 2184576858-771828931
                                                          • Opcode ID: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
                                                          • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                          • Opcode Fuzzy Hash: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
                                                          • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                          Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                          • DestroyWindow.USER32(?), ref: 0042A751
                                                          • UnregisterHotKey.USER32(?), ref: 0042A778
                                                          • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 4174999648-3243417748
                                                          • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                          • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                          • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                          • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                          Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                          • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                          • String ID:
                                                          • API String ID: 1291720006-3916222277
                                                          • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                          • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                          • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                          • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                          Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastselect
                                                          • String ID: HH
                                                          • API String ID: 215497628-2761332787
                                                          • Opcode ID: ff1936eb32129df0a81bb6878b4e085d819e9574a0390ee8e332862918087a10
                                                          • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                          • Opcode Fuzzy Hash: ff1936eb32129df0a81bb6878b4e085d819e9574a0390ee8e332862918087a10
                                                          • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                          Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __snwprintf__wcsicoll_wcscpy
                                                          • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                          • API String ID: 1729044348-3708979750
                                                          • Opcode ID: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                          • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                          • Opcode Fuzzy Hash: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                          • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                          Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CdbVaYf8jC.exe,?,C:\Users\user\Desktop\CdbVaYf8jC.exe,004A8E80,C:\Users\user\Desktop\CdbVaYf8jC.exe,0040F3D2), ref: 0040FFCA
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                          • _wcscat.LIBCMT ref: 0044BCAA
                                                          • _wcslen.LIBCMT ref: 0044BCB7
                                                          • _wcslen.LIBCMT ref: 0044BCCB
                                                          • SHFileOperationW.SHELL32 ref: 0044BD16
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 2326526234-1173974218
                                                          • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                          • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                          • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                          • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                          Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                          • _wcslen.LIBCMT ref: 004366DD
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                          • GetLastError.KERNEL32 ref: 0043670F
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                          • _wcsrchr.LIBCMT ref: 0043674C
                                                            • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                          • String ID: \
                                                          • API String ID: 321622961-2967466578
                                                          • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                          • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                          • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                          • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                          Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 1038674560-2734436370
                                                          • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                          • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                          • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                          • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                          Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fec3643cca3ff1845a5d750544dd574bba968d1ed5ac835adc13dd2c8a8c9520
                                                          • Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
                                                          • Opcode Fuzzy Hash: fec3643cca3ff1845a5d750544dd574bba968d1ed5ac835adc13dd2c8a8c9520
                                                          • Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A
                                                          Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                          • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                          • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                          • __wsplitpath.LIBCMT ref: 00436FA0
                                                          • _wcscat.LIBCMT ref: 00436FB2
                                                          • __wcsicoll.LIBCMT ref: 00436FC4
                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                          • String ID:
                                                          • API String ID: 2903788889-0
                                                          • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                          • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                          • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                          • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                          Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(?), ref: 0044157D
                                                          • GetDC.USER32(00000000), ref: 00441585
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                          • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                          • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                          • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                          Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                          • __freefls@4.LIBCMT ref: 00414135
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                          • String ID:
                                                          • API String ID: 1925773019-0
                                                          • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                          • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                          • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                          • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                          Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                          • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                          • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                          • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                          • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                          • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                          • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                          • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                          • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                          • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                          • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                          Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                          • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                                                          • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                                                          • _memset.LIBCMT ref: 00464B92
                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                          • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                          • WSACleanup.WSOCK32 ref: 00464CE4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                          • String ID:
                                                          • API String ID: 3424476444-0
                                                          • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                          • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                          • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                          • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                          Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                          • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                          • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                          • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                          Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ConnectRegistry_wcslen
                                                          • String ID:
                                                          • API String ID: 535477410-0
                                                          • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                          • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                          • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                          • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                          Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • _memset.LIBCMT ref: 004538C4
                                                          • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                          • _wcslen.LIBCMT ref: 00453960
                                                          • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                          • String ID: 0
                                                          • API String ID: 3530711334-4108050209
                                                          • Opcode ID: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                          • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                          • Opcode Fuzzy Hash: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                          • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                          Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                          • String ID: HH
                                                          • API String ID: 3488606520-2761332787
                                                          • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                          • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                          • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                          • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                          Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                          • String ID:
                                                          • API String ID: 4082120231-0
                                                          • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                          • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                          • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                          • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                          Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                          • String ID:
                                                          • API String ID: 4082120231-0
                                                          • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                          • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                          • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                          • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                          Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                          • String ID:
                                                          • API String ID: 288456094-0
                                                          • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                          • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                          • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                          • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                          Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 004449B0
                                                          • GetKeyboardState.USER32(?), ref: 004449C3
                                                          • SetKeyboardState.USER32(?), ref: 00444A0F
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                          • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                          • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                          • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                          Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 00444BA9
                                                          • GetKeyboardState.USER32(?), ref: 00444BBC
                                                          • SetKeyboardState.USER32(?), ref: 00444C08
                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                          • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                          • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                          • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                          Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                          • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                          • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                          • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                          Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ConnectRegistry_wcslen
                                                          • String ID: HH
                                                          • API String ID: 535477410-2761332787
                                                          • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                          • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                          • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                          • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                          Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00457C34
                                                          • _memset.LIBCMT ref: 00457CE8
                                                          • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                          • String ID: <$@
                                                          • API String ID: 1325244542-1426351568
                                                          • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                          • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                          • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                          • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                          Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                          • __wsplitpath.LIBCMT ref: 004737E1
                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                          • _wcscat.LIBCMT ref: 004737F6
                                                          • __wcsicoll.LIBCMT ref: 00473818
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                          • String ID:
                                                          • API String ID: 2547909840-0
                                                          • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                          • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                          • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                          • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                          Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                          • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                          • String ID:
                                                          • API String ID: 2354583917-0
                                                          • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                          • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                          • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                          • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                          Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                          • GetMenu.USER32 ref: 004776AA
                                                          • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                          • _wcslen.LIBCMT ref: 0047771A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItemStringWindow_wcslen
                                                          • String ID:
                                                          • API String ID: 1823500076-0
                                                          • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                          • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                          • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                          • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                          Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Enable$Show$MessageMoveSend
                                                          • String ID:
                                                          • API String ID: 896007046-0
                                                          • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                          • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                          • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                          • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                          Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                          • SendMessageW.USER32(02F31AF0,000000F1,00000000,00000000), ref: 004414C6
                                                          • SendMessageW.USER32(02F31AF0,000000F1,00000001,00000000), ref: 004414F1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow
                                                          • String ID:
                                                          • API String ID: 312131281-0
                                                          • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                          • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                          • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                          • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                          Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 004484C4
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                          • IsMenu.USER32(?), ref: 0044857B
                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                          • DrawMenuBar.USER32 ref: 004485E4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                          • String ID: 0
                                                          • API String ID: 3866635326-4108050209
                                                          • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                          • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                          • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                          • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                          Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                          • Sleep.KERNEL32(0000000A), ref: 00472499
                                                          • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                          • String ID: 0vH
                                                          • API String ID: 327565842-3662162768
                                                          • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                          • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                          • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                          • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                          Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                          • GetFocus.USER32 ref: 00448B1C
                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Enable$Show$FocusMessageSend
                                                          • String ID:
                                                          • API String ID: 3429747543-0
                                                          • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                          • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                          • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                          • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                          Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • _memset.LIBCMT ref: 00401C62
                                                          • _wcsncpy.LIBCMT ref: 00401CA1
                                                          • _wcscpy.LIBCMT ref: 00401CBD
                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                          • String ID: Line:
                                                          • API String ID: 1620655955-1585850449
                                                          • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                          • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                          • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                          • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                          Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                          • __swprintf.LIBCMT ref: 0045D3CC
                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                          • String ID: %lu$HH
                                                          • API String ID: 3164766367-3924996404
                                                          • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                          • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                          • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                          • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                          Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 3850602802-3636473452
                                                          • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                          • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                          • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                          • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                          Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                          • String ID:
                                                          • API String ID: 3985565216-0
                                                          • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                          • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                          • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                          • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                          Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                          • __calloc_crt.LIBCMT ref: 00415743
                                                          • __getptd.LIBCMT ref: 00415750
                                                          • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                          • __dosmaperr.LIBCMT ref: 004157A9
                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 1269668773-0
                                                          • Opcode ID: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                                          • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                          • Opcode Fuzzy Hash: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
                                                          • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                          Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                            • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                          • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                          • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                          • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                          • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                          Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                          • String ID:
                                                          • API String ID: 4166825349-0
                                                          • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                          • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                          • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                          • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                          Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                          • API String ID: 2574300362-3261711971
                                                          • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                          • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                          • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                          • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                          Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                          • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                          • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                          • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                          Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 00433724
                                                          • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                          • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                          • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                          • GetWindowRect.USER32(?,?), ref: 00433814
                                                          • ScreenToClient.USER32(?,?), ref: 00433842
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                          • String ID:
                                                          • API String ID: 3220332590-0
                                                          • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                          • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                          • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                          • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                          Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                          • String ID:
                                                          • API String ID: 1612042205-0
                                                          • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                          • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                          • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                          • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                          Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                          • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                          • SendInput.USER32 ref: 0044C6E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                          • String ID:
                                                          • API String ID: 2221674350-0
                                                          • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                          • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                          • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                          • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                          Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$_wcscat
                                                          • String ID:
                                                          • API String ID: 2037614760-0
                                                          • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                          • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                          • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                          • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                          Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                          • String ID:
                                                          • API String ID: 4189319755-0
                                                          • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                          • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                          • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                          • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                          Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID:
                                                          • API String ID: 1726766782-0
                                                          • Opcode ID: 16d5c57b5e53c2061fc4ac4ded6e87df9b6247511e9ffc13c2dfc8627616166f
                                                          • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                          • Opcode Fuzzy Hash: 16d5c57b5e53c2061fc4ac4ded6e87df9b6247511e9ffc13c2dfc8627616166f
                                                          • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                          Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                          • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                          • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                          • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                          • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                          • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                          • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                          Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                          • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                          • String ID:
                                                          • API String ID: 1976402638-0
                                                          • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                          • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                          • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                          • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                          Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 00442597
                                                            • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                          • GetDesktopWindow.USER32 ref: 004425BF
                                                          • GetWindowRect.USER32(00000000), ref: 004425C6
                                                          • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                          • GetCursorPos.USER32(?), ref: 00442624
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                          • String ID:
                                                          • API String ID: 4137160315-0
                                                          • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                          • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                          • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                          • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                          Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Enable$Show$MessageSend
                                                          • String ID:
                                                          • API String ID: 1871949834-0
                                                          • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                          • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                          • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                          • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                          Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0044961A
                                                          • SendMessageW.USER32 ref: 0044964A
                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                          • _wcslen.LIBCMT ref: 004496BA
                                                          • _wcslen.LIBCMT ref: 004496C7
                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                          • String ID:
                                                          • API String ID: 1624073603-0
                                                          • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                          • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                          • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                          • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                          Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                          • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                          • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                          • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                          Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                          • String ID:
                                                          • API String ID: 1640429340-0
                                                          • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                          • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                          • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                          • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                          Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                          • String ID:
                                                          • API String ID: 3354276064-0
                                                          • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                          • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                          • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                          • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                          Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                          • String ID:
                                                          • API String ID: 752480666-0
                                                          • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                          • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                          • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                          • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                          Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 0045527A
                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                          • String ID:
                                                          • API String ID: 3275902921-0
                                                          • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                          • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                          • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                          • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                          Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                          • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                          • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                          • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                          • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                          • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                          • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                          • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                          Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                          • __calloc_crt.LIBCMT ref: 0041419B
                                                          • __getptd.LIBCMT ref: 004141A8
                                                          • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                          • __dosmaperr.LIBCMT ref: 00414201
                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 1803633139-0
                                                          • Opcode ID: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                                          • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                          • Opcode Fuzzy Hash: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
                                                          • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                          Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                          • String ID:
                                                          • API String ID: 3275902921-0
                                                          • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                          • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                          • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                          • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                          Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32 ref: 004554DF
                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                          • String ID:
                                                          • API String ID: 3691411573-0
                                                          • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                          • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                          • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                          • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                          Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                          • String ID:
                                                          • API String ID: 1814673581-0
                                                          • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                          • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                          • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                          • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                          Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                          • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                          • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                          • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                          Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                          • LineTo.GDI32(?,?,?), ref: 00447227
                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                          • LineTo.GDI32(?,?,?), ref: 0044723D
                                                          • EndPath.GDI32(?), ref: 0044724E
                                                          • StrokePath.GDI32(?), ref: 0044725C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                          • String ID:
                                                          • API String ID: 372113273-0
                                                          • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                          • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                          • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                          • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                          Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                          • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                          • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                          • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                          Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 0044CBEF
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                          • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                          • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                          • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                          Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                          • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                            • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                          • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                          • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                          • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                          • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                          • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                          Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                          • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                          • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                          • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                          • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                          Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\CdbVaYf8jC.exe,00000004), ref: 00436055
                                                          • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                          • GetLastError.KERNEL32 ref: 00436081
                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                          • String ID:
                                                          • API String ID: 1690418490-0
                                                          • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                          • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                          • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                          • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                          Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                          • CoInitialize.OLE32(00000000), ref: 00475B71
                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                          • CoUninitialize.OLE32 ref: 00475D71
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk$HH
                                                          • API String ID: 886957087-3121654589
                                                          • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                          • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                          • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                          • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                          Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem_memset
                                                          • String ID: 0
                                                          • API String ID: 1173514356-4108050209
                                                          • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                          • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                          • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                          • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                          Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 763830540-1403004172
                                                          • Opcode ID: 61f9ca9c5a419efdf5b0fec418701a37d71c48c53c791e94f016d44e45ec48a7
                                                          • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                          • Opcode Fuzzy Hash: 61f9ca9c5a419efdf5b0fec418701a37d71c48c53c791e94f016d44e45ec48a7
                                                          • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                          Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CurrentHandleProcess$Duplicate
                                                          • String ID: nul
                                                          • API String ID: 2124370227-2873401336
                                                          • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                          • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                          • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                          • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                          Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CurrentHandleProcess$Duplicate
                                                          • String ID: nul
                                                          • API String ID: 2124370227-2873401336
                                                          • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                          • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                          • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                          • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                          Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                          • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                          • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                          • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                          • String ID: SysAnimate32
                                                          • API String ID: 3529120543-1011021900
                                                          • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                          • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                          • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                          • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                          Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                          • TranslateMessage.USER32(?), ref: 0044308B
                                                          • DispatchMessageW.USER32(?), ref: 00443096
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchTranslate
                                                          • String ID: *.*
                                                          • API String ID: 1795658109-438819550
                                                          • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                          • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                          • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                          • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                          Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                            • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                            • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                            • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                            • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                          • GetFocus.USER32 ref: 004609EF
                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                          • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                          • __swprintf.LIBCMT ref: 00460A7A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                          • String ID: %s%d
                                                          • API String ID: 991886796-1110647743
                                                          • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                          • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                          • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                          • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                          Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _memset$_sprintf
                                                          • String ID: %02X
                                                          • API String ID: 891462717-436463671
                                                          • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                          • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                          • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                          • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                          Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0042CD00
                                                          • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\CdbVaYf8jC.exe,?,C:\Users\user\Desktop\CdbVaYf8jC.exe,004A8E80,C:\Users\user\Desktop\CdbVaYf8jC.exe,0040F3D2), ref: 0040FFCA
                                                            • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                            • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                            • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                            • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                          • String ID: $OH$@OH$X
                                                          • API String ID: 3491138722-1394974532
                                                          • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                          • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                          • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                          • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                          Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                          • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Library$FreeLoad
                                                          • String ID:
                                                          • API String ID: 2449869053-0
                                                          • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                          • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                          • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                          • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                          Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                          • SendInput.USER32 ref: 0044C509
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: KeyboardMessagePostState$InputSend
                                                          • String ID:
                                                          • API String ID: 3031425849-0
                                                          • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                          • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                          • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                          • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                          Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                          • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Enum$CloseDeleteOpen
                                                          • String ID:
                                                          • API String ID: 2095303065-0
                                                          • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                          • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                          • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                          • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                          Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String
                                                          • String ID:
                                                          • API String ID: 2832842796-0
                                                          • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                          • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                          • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                          • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                          Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 00447997
                                                          • GetCursorPos.USER32(?), ref: 004479A2
                                                          • ScreenToClient.USER32(?,?), ref: 004479BE
                                                          • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                          • String ID:
                                                          • API String ID: 1822080540-0
                                                          • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                          • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                          • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                          • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                          Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                          • String ID:
                                                          • API String ID: 659298297-0
                                                          • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                          • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                          • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                          • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                          Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 004478A7
                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                          • GetCursorPos.USER32(?), ref: 00447935
                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CursorMenuPopupTrack$Proc
                                                          • String ID:
                                                          • API String ID: 1300944170-0
                                                          • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                          • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                          • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                          • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                          Function 00438EAD Relevance: 7.6, APIs: 5, Instructions: 90sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00438ECC
                                                          • PostMessageW.USER32(00000001,?,00000001,?), ref: 00438F7C
                                                          • Sleep.KERNEL32(00000000), ref: 00438F84
                                                          • PostMessageW.USER32(?,00000202,00000000,?), ref: 00438F95
                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?), ref: 00438F9D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
                                                          • Instruction ID: 0163f4fbfa3540aa74b75641586733f0f0ecdd6424bf32d6baecdffd05b1cde8
                                                          • Opcode Fuzzy Hash: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
                                                          • Instruction Fuzzy Hash: 9B31C032104305AFD300CF68CA88A6BB7E5EBC8314F555A2DF9A497291DB74EC06CB56
                                                          Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                            • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                            • Part of subcall function 004413F0: SendMessageW.USER32(02F31AF0,000000F1,00000000,00000000), ref: 004414C6
                                                            • Part of subcall function 004413F0: SendMessageW.USER32(02F31AF0,000000F1,00000001,00000000), ref: 004414F1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableMessageSend$LongShow
                                                          • String ID:
                                                          • API String ID: 142311417-0
                                                          • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                          • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                          • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                          • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                          Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0044955A
                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                          • _wcslen.LIBCMT ref: 004495C1
                                                          • _wcslen.LIBCMT ref: 004495CE
                                                          • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                          • String ID:
                                                          • API String ID: 1843234404-0
                                                          • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                          • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                          • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                          • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                          Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                          • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                          • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                          • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                          Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00445721
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                          • _wcslen.LIBCMT ref: 004457A3
                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                          • String ID:
                                                          • API String ID: 3087257052-0
                                                          • Opcode ID: 07a683c3f77dae50ee773e7e3fa5154241049f7b31449e9a489b3be5124be6a3
                                                          • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                          • Opcode Fuzzy Hash: 07a683c3f77dae50ee773e7e3fa5154241049f7b31449e9a489b3be5124be6a3
                                                          • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                          Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00459DEF
                                                          • GetForegroundWindow.USER32 ref: 00459E07
                                                          • GetDC.USER32(00000000), ref: 00459E44
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                          • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                          • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                          • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                          Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                          • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                                                          • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                          • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 245547762-0
                                                          • Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                          • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                          • Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                          • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                          Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00447151
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                          • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                          • BeginPath.GDI32(?), ref: 004471B7
                                                          • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                          • String ID:
                                                          • API String ID: 2338827641-0
                                                          • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                          • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                          • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                          • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                          Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                          • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                          • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                          • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                          Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32 ref: 0046FD00
                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                          • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                          • DestroyIcon.USER32(?), ref: 0046FD58
                                                          • DestroyIcon.USER32(?), ref: 0046FD5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyIcon
                                                          • String ID:
                                                          • API String ID: 3419509030-0
                                                          • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                          • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                          • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                          • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                          Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • __getptd.LIBCMT ref: 004175AE
                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                          • __amsg_exit.LIBCMT ref: 004175CE
                                                          • __lock.LIBCMT ref: 004175DE
                                                          • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                          • InterlockedIncrement.KERNEL32(02F32CE0), ref: 00417626
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                          • String ID:
                                                          • API String ID: 4271482742-0
                                                          • Opcode ID: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                                          • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                          • Opcode Fuzzy Hash: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
                                                          • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                          Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                          • String ID:
                                                          • API String ID: 4023252218-0
                                                          • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                          • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                          • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                          • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                          Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                          • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                          • MessageBeep.USER32(00000000), ref: 0046036D
                                                          • KillTimer.USER32(?,0000040A), ref: 00460392
                                                          • EndDialog.USER32(?,00000001), ref: 004603AB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                          • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                          • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                          • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                          Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                          • String ID:
                                                          • API String ID: 1489400265-0
                                                          • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                          • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                          • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                          • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                          Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                          • String ID:
                                                          • API String ID: 1042038666-0
                                                          • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                          • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                          • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                          • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                          Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                          • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                          • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                          • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                          Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                          • __freefls@4.LIBCMT ref: 00414135
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                          • String ID:
                                                          • API String ID: 132634196-0
                                                          • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                          • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                          • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                          • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                          Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                          • __getptd_noexit.LIBCMT ref: 00415620
                                                          • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                          • __freeptd.LIBCMT ref: 0041563B
                                                          • ExitThread.KERNEL32 ref: 00415643
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 3798957060-0
                                                          • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                          • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                          • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                          • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                          Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                          • String ID:
                                                          • API String ID: 1537469427-0
                                                          • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                          • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                          • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                          • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                          Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _malloc
                                                          • String ID: Default$|k
                                                          • API String ID: 1579825452-2254895183
                                                          • Opcode ID: 404d7240c4bb856f681ff9cdf52c8ed6758caabbd7f7f5126ad75ded5c77f63b
                                                          • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                          • Opcode Fuzzy Hash: 404d7240c4bb856f681ff9cdf52c8ed6758caabbd7f7f5126ad75ded5c77f63b
                                                          • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                          Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID: '$[$h
                                                          • API String ID: 2931989736-1224472061
                                                          • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                          • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                          • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                          • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                          Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _strncmp
                                                          • String ID: >$R$U
                                                          • API String ID: 909875538-1924298640
                                                          • Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                          • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                          • Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                          • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                          Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                          • CoUninitialize.OLE32 ref: 0046CE50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 886957087-24824748
                                                          • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                          • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                          • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                          • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                          Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                          • API String ID: 176396367-557222456
                                                          • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                          • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                          • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                          • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                          Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                          • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                          • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCopyInit_malloc
                                                          • String ID: 4RH
                                                          • API String ID: 2981388473-749298218
                                                          • Opcode ID: c26f7a3086022908b18cdef591f48b83bab91b2854b3ff3a8353accd24870fc8
                                                          • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                          • Opcode Fuzzy Hash: c26f7a3086022908b18cdef591f48b83bab91b2854b3ff3a8353accd24870fc8
                                                          • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                          Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                          • __wcsnicmp.LIBCMT ref: 0046681A
                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                          • String ID: LPT$HH
                                                          • API String ID: 3035604524-2728063697
                                                          • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                          • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                          • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                          • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                          Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                            • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MemoryProcess$ReadWrite
                                                          • String ID: @
                                                          • API String ID: 4055202900-2766056989
                                                          • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                          • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                          • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                          • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                          Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_memset_wcslen
                                                          • String ID: |
                                                          • API String ID: 915713708-2343686810
                                                          • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                          • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                          • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                          • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                          Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                          • HttpQueryInfoW.WININET ref: 0044A892
                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3705125965-3916222277
                                                          • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                          • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                          • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                          • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                          Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                          • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                          • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                          • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                          Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                          • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: AU3_GetPluginDetails
                                                          • API String ID: 145871493-4132174516
                                                          • Opcode ID: 4d29db7c409dc1d8665f13fcd2a771d904d38d92e5d57695c8085be3ce6f429e
                                                          • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                          • Opcode Fuzzy Hash: 4d29db7c409dc1d8665f13fcd2a771d904d38d92e5d57695c8085be3ce6f429e
                                                          • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                          Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 3375834691-2298589950
                                                          • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                          • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                          • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                          • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                          Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                          • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                          • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                          • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                          • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                          Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume
                                                          • String ID: HH
                                                          • API String ID: 2507767853-2761332787
                                                          • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                          • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                          • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                          • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                          Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume
                                                          • String ID: HH
                                                          • API String ID: 2507767853-2761332787
                                                          • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                          • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                          • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                          • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                          Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                          • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                          • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                          • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                          Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                                                          • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                          • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                          • String ID: HH
                                                          • API String ID: 1515696956-2761332787
                                                          • Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                          • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                          • Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                          • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                          Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                          • CoUninitialize.OLE32 ref: 0046CE50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 886957087-24824748
                                                          • Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                          • Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
                                                          • Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                          • Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56
                                                          Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • GetMenuItemInfoW.USER32 ref: 004497EA
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                          • DrawMenuBar.USER32 ref: 00449828
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                          • String ID: 0
                                                          • API String ID: 772068139-4108050209
                                                          • Opcode ID: 80c8cc45c3a2388c5d5a2fad2fa293faafe293b1266d5f5cdbd09ec66a21ca10
                                                          • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                          • Opcode Fuzzy Hash: 80c8cc45c3a2388c5d5a2fad2fa293faafe293b1266d5f5cdbd09ec66a21ca10
                                                          • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                          Function 00424F47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(KERNEL32,0041AEF9), ref: 00424F4C
                                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00424F5C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                                          • API String ID: 1646373207-3105848591
                                                          • Opcode ID: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
                                                          • Instruction ID: 69bd3651b8917f7fc34e3109133611cda39c57594410afc054872b2319d2a534
                                                          • Opcode Fuzzy Hash: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
                                                          • Instruction Fuzzy Hash: F7F03030A00A19D2DB006FB1FE1A66F7AB5FBC0B43F920895E591A0084DFB58571838A
                                                          Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AllocTask_wcslen
                                                          • String ID: hkG
                                                          • API String ID: 2651040394-3610518997
                                                          • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                          • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                          • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                          • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                          Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                          • API String ID: 2574300362-1816364905
                                                          • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                          • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                          • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                          • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                          Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                          • API String ID: 2574300362-58917771
                                                          • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                          • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                          • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                          • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                          Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                          • API String ID: 2574300362-3530519716
                                                          • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                          • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                          • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                          • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                          Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                          • API String ID: 2574300362-275556492
                                                          • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                          • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                          • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                          • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                          Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: IsWow64Process$kernel32.dll
                                                          • API String ID: 2574300362-3024904723
                                                          • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                          • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                          • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                          • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                          Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,0040E5BF,?), ref: 0040EEEB
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                          • API String ID: 2574300362-192647395
                                                          • Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                          • Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
                                                          • Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                          • Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C
                                                          Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: 864e75c6b64c8395072179653f2e6e54ed688e1196af63861ce1262d91a289fa
                                                          • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                          • Opcode Fuzzy Hash: 864e75c6b64c8395072179653f2e6e54ed688e1196af63861ce1262d91a289fa
                                                          • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                          Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __flush.LIBCMT ref: 00414630
                                                          • __fileno.LIBCMT ref: 00414650
                                                          • __locking.LIBCMT ref: 00414657
                                                          • __flsbuf.LIBCMT ref: 00414682
                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                          • String ID:
                                                          • API String ID: 3240763771-0
                                                          • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                          • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                          • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                          • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                          Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                          • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                          • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CopyVariant$ErrorLast
                                                          • String ID:
                                                          • API String ID: 2286883814-0
                                                          • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                          • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                          • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                          • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                          Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                          • #21.WSOCK32 ref: 004740E0
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$socket
                                                          • String ID:
                                                          • API String ID: 1881357543-0
                                                          • Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                          • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                          • Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                          • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                          Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                          • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                          • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                          • MessageBeep.USER32(00000000), ref: 00441DF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                          • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                          • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                          • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                          Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                          • __isleadbyte_l.LIBCMT ref: 004238B2
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                          • String ID:
                                                          • API String ID: 3058430110-0
                                                          • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                          • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                          • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                          • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                          Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                          • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                          • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                          • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                          • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                          Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 004505BF
                                                          • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                          • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                          • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Proc$Parent
                                                          • String ID:
                                                          • API String ID: 2351499541-0
                                                          • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                          • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                          • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                          • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                          Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                          • __itow.LIBCMT ref: 00461461
                                                          • __itow.LIBCMT ref: 004614AB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow$_wcslen
                                                          • String ID:
                                                          • API String ID: 2875217250-0
                                                          • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                          • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                          • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                          • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                          Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0040E202
                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell__memset
                                                          • String ID:
                                                          • API String ID: 928536360-0
                                                          • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                          • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                          • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                          • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                          Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 00472806
                                                            • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                            • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                            • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                          • GetCaretPos.USER32(?), ref: 0047281A
                                                          • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                          • GetForegroundWindow.USER32 ref: 0047285C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                          • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                          • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                          • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                          Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                          • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                          • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                          • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                          Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32 ref: 00448CB8
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow
                                                          • String ID:
                                                          • API String ID: 312131281-0
                                                          • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                          • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                          • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                          • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                          Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • select.WSOCK32 ref: 0045890A
                                                          • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                          • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastacceptselect
                                                          • String ID:
                                                          • API String ID: 385091864-0
                                                          • Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                          • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                          • Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                          • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                          Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                          • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                          • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                          • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                          Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                          • GetStockObject.GDI32(00000011), ref: 00433695
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                          • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                          • String ID:
                                                          • API String ID: 1358664141-0
                                                          • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                          • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                          • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                          • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                          Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                          • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2880819207-0
                                                          • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                          • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                          • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                          • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                          Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00434037
                                                          • ScreenToClient.USER32(?,?), ref: 0043405B
                                                          • ScreenToClient.USER32(?,?), ref: 00434085
                                                          • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                          • String ID:
                                                          • API String ID: 357397906-0
                                                          • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                          • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                          • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                          • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                          Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                          • String ID:
                                                          • API String ID: 3016257755-0
                                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                          • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                          • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                          Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __wsplitpath.LIBCMT ref: 00436A45
                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                          • __wsplitpath.LIBCMT ref: 00436A6C
                                                          • __wcsicoll.LIBCMT ref: 00436A93
                                                          • __wcsicoll.LIBCMT ref: 00436AB0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                          • String ID:
                                                          • API String ID: 1187119602-0
                                                          • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                          • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                          • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                          • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                          Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                          • String ID:
                                                          • API String ID: 1597257046-0
                                                          • Opcode ID: 6b0dcf7875e5cc8b2f124becf3425b1e3567ced601fe1f13ac9ef2b9b8e14b5c
                                                          • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                          • Opcode Fuzzy Hash: 6b0dcf7875e5cc8b2f124becf3425b1e3567ced601fe1f13ac9ef2b9b8e14b5c
                                                          • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                          Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: DeleteDestroyObject$IconWindow
                                                          • String ID:
                                                          • API String ID: 3349847261-0
                                                          • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                          • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                          • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                          • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                          Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 2223660684-0
                                                          • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                          • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                          • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                          • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                          Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                          • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                          • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                          • EndPath.GDI32(?), ref: 004472B0
                                                          • StrokePath.GDI32(?), ref: 004472BE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 2783949968-0
                                                          • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                          • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                          • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                          • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                          Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • __getptd.LIBCMT ref: 00417D1A
                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                          • __getptd.LIBCMT ref: 00417D31
                                                          • __amsg_exit.LIBCMT ref: 00417D3F
                                                          • __lock.LIBCMT ref: 00417D4F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                          • String ID:
                                                          • API String ID: 3521780317-0
                                                          • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                          • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                          • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                          • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                          Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00471144
                                                          • GetDC.USER32(00000000), ref: 0047114D
                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                          • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                          • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                          • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                          • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                          Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00471102
                                                          • GetDC.USER32(00000000), ref: 0047110B
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                          • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                          • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                          • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                          • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                          Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                          • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                          • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                          • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                          • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                          • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                          • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                          Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                            • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                            • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                          • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                          • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                          • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                          Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                          • __getptd_noexit.LIBCMT ref: 00414080
                                                          • __freeptd.LIBCMT ref: 0041408A
                                                          • ExitThread.KERNEL32 ref: 00414093
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 3182216644-0
                                                          • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                          • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                          • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                          • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                          Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower
                                                          • String ID: $8'I
                                                          • API String ID: 2358735015-3608026889
                                                          • Opcode ID: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                          • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                          • Opcode Fuzzy Hash: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                          • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                          Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                          • String ID: AutoIt3GUI$Container
                                                          • API String ID: 3380330463-3941886329
                                                          • Opcode ID: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                          • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                          • Opcode Fuzzy Hash: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                          • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                          Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00409A61
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                          • String ID: 0vH
                                                          • API String ID: 1143807570-3662162768
                                                          • Opcode ID: c09e7a550d587b66afd16ae3f9308ee528eb86d4dd4285a1c93ad52bd0ffcd86
                                                          • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                          • Opcode Fuzzy Hash: c09e7a550d587b66afd16ae3f9308ee528eb86d4dd4285a1c93ad52bd0ffcd86
                                                          • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                          Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HH$HH
                                                          • API String ID: 0-1787419579
                                                          • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                          • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                          • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                          • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                          Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: 4788cf6f182db8212a4dd4ca04636ab1929000af0f3277abda7ed9995d735732
                                                          • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                          • Opcode Fuzzy Hash: 4788cf6f182db8212a4dd4ca04636ab1929000af0f3277abda7ed9995d735732
                                                          • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                          Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                          • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                          • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                          • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                          Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                          • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                          • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                          • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                          Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                          • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                          • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                          • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                          Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                          • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                          • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                          • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                          Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00474833
                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                          • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                          • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                          • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                          Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: htonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 3832099526-2422070025
                                                          • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                          • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                          • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                          • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                          Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 455545452-1403004172
                                                          • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                          • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                          • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                          • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                          Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID: <local>
                                                          • API String ID: 2038078732-4266983199
                                                          • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                          • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                          • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                          • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                          Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 455545452-1403004172
                                                          • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                          • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                          • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                          • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                          Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                          • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 455545452-1403004172
                                                          • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                          • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                          • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                          • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                          Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                          • wsprintfW.USER32 ref: 004560E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_mallocwsprintf
                                                          • String ID: %d/%02d/%02d
                                                          • API String ID: 1262938277-328681919
                                                          • Opcode ID: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                          • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                          • Opcode Fuzzy Hash: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                          • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                          Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                          • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                          • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                          • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                          Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                          • PostMessageW.USER32(00000000), ref: 00442247
                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                          • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                          • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                          • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                          Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                            • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1727670449.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1727653562.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727716710.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727751262.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1727791269.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_CdbVaYf8jC.jbxd
                                                          Similarity
                                                          • API ID: Message_doexit
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 1993061046-4017498283
                                                          • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                          • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                          • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                          • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E